[Dshield] CONSTANT 445/tcp scans from a node

Matthew Harrell mhar at plex.com
Wed Jun 25 12:10:31 GMT 2003

We have been receiving a barrage of 445/tcp scans fro  It's
been going on for three days now.  The computer scans our entire external
subnet for hours.  Then the activity will stop for a while, and start up
again a couple hours later.  I'm also pretty sure this is the same node
that was doing this to us a week or two ago.  At that time, not only did
Dshield send the automated abuse e-mail, but I also called his ISP.  I was
told to send e-mail to a particular address (which, if I remember
correctly, was different than the one Dshield sent to).  I got no reply,
but the scans stopped shortly after sending the e-mail.

When the scans started up again, dshield sent another abuse e-mail with no
response.  I'll try sending another myself like I did before--maybe the IP
address is slightly different.  It's frustrating that there's really
nothing else I can do about this.  We're not vulnerable to this, but it
sure is clogging up my Snort logs!  Has anyone else experienced such
repetitive 445/tcp scans from one node over the course of days?

Matt Harrell
Plexus Systems
mhar at plex.com 

More information about the list mailing list