[Dshield] port 445
security at admin.fulgan.com
Mon Mar 14 17:03:15 GMT 2005
I just checked the logs here. A small range of 32 IPs got scanned a
couple of times and a class C got about 10k hits since this morning.
What's interesting is that 79% of all attacks on the class C
came from a single computer: 126.96.36.199. Now, this IP is pretty
close to the network number of the attacked net: a likely combo for a
worm. That, plus the fact that it scanned all IPs in the range
That's the only real anomaly I could find in today's logs related to
port 445. That IP didn't scan anything but port 445, BTW.
Could anyone drop a probe outside their perimeter ?
Monday, March 14, 2005, 2:23:14 PM, you wrote:
LJ> I am seeing a massive amount of traffic to port 445 that started a
LJ> little over 3 hours ago. (about 1300 packets a second to our class
LJ> Just wondering if it's a new worm, or more likely I am being DDOS
LJ> I get a timeout when I try to pull up the stats for today on dshield
LJ> at: http://isc.sans.org/port_report.php?date=2005-03-14
LJ> Plus stats on the ticker seem a little off:
LJ> ISC Port Ticker
LJ> This ticker reflects trends using the last few submissions received.
LJ> Please treat with caution, as this trends may be quite volatile and it
LJ> is based on a small number of submissions (usually less than 10000).
LJ> # of Reports:376143
LJ> Last update: 334171902172 minutes ago.
LJ> -------------- Sponsor Message ------------------------------------
LJ> Join us at SANSFIRE 2005 in Atlanta!
LJ> The Internet Storm Center Conference.
LJ> Details: http://www.sans.org/sansfire2005
LJ> send all posts to list at lists.dshield.org
LJ> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Stephane mailto:security at admin.fulgan.com
More information about the list