[Dshield] increase in port 445 scanning
jayjwa at atr2.ath.cx
Tue Jan 13 03:57:18 GMT 2004
On Mon, 12 Jan 2004, Hudak, Tyler wrote:
> Over the last two hours my IDS' have picked up a massive increase in port
> 445 scans coming from Europe and Asia. I don't see anything on DShield yet
> about it, is anyone else seeing something similar? Differing window sizes
> and IPIDs on each packet, so I don't think they are forged from the same
> machine and spoofed. New worm perhaps? One of the new AGOBOT worms?
I've seen a few of these too and wondered about them. I always regarded
them as aiming for https and missing =)
3410 was the hot port on this host last night, but I do get 445's now and
then. If it seems to increase, I'll capture some packets later on. Thanks
for the heads-up, I'll keep watch.
More information about the list