[Dshield] increase in port 445 scanning

jayjwa jayjwa at atr2.ath.cx
Tue Jan 13 03:57:18 GMT 2004

On Mon, 12 Jan 2004, Hudak, Tyler wrote:

> Over the last two hours my IDS' have picked up a massive increase in port
> 445 scans coming from Europe and Asia.  I don't see anything on DShield yet
> about it, is anyone else seeing something similar?  Differing window sizes
> and IPIDs on each packet, so I don't think they are forged from the same
> machine and spoofed.  New worm perhaps?  One of the new AGOBOT worms?

I've seen a few of these too and wondered about them. I always regarded
them as aiming for https and missing =)
3410 was the hot port on this host last night, but I do get 445's now and
then. If it seems to increase, I'll capture some packets later on. Thanks
for the heads-up, I'll keep watch.


More information about the list mailing list