[Dshield] port 445

Stephane Grobety security at admin.fulgan.com
Mon Mar 14 17:03:15 GMT 2005

Hello John,

I just checked the logs here. A small range of 32 IPs got scanned a
couple of times and a class C got about 10k hits since this morning.

What's interesting is that 79% of all attacks on the class C
came from a single computer: Now, this IP is pretty
close to the network number of the attacked net: a likely combo for a
worm. That, plus the fact that it scanned all IPs in the range
multiple time.

That's the only real anomaly I could find in today's logs related to
port 445. That IP didn't scan anything but port 445, BTW.

Could anyone drop a probe outside their perimeter ?

Good luck,

Monday, March 14, 2005, 2:23:14 PM, you wrote:

LJ> Hello,
LJ> I am seeing a massive amount of traffic to port 445 that started a
LJ> little over 3 hours ago.  (about 1300 packets a second to our class
LJ> B).  
LJ> Just wondering if it's a new worm, or more likely I am being DDOS
LJ> attacked. 
LJ> I get a timeout when I try to pull up the stats for today on dshield
LJ> at:  http://isc.sans.org/port_report.php?date=2005-03-14
LJ> Plus stats on the ticker seem a little off:

LJ> ISC Port Ticker

LJ> This ticker reflects trends using the last few submissions received.
LJ> Please treat with caution, as this trends may be quite volatile and it
LJ> is based on a small number of submissions (usually less than 10000). 

LJ> # of Reports:376143 
LJ> Last update: 334171902172 minutes ago. 

LJ> -------------- Sponsor Message ------------------------------------
LJ> Join us at SANSFIRE 2005 in Atlanta!
LJ> The Internet Storm Center Conference.
LJ> Details: http://www.sans.org/sansfire2005

LJ> _______________________________________________
LJ> send all posts to list at lists.dshield.org
LJ> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the list mailing list