port 445 worm

Pat Wilson paw at noh.ucsd.edu
Sat Sep 7 04:28:41 GMT 2002


Haven't captured anything yet, but have seen evidence yesterday
and today (Sep 5 and 6) of a Microsoft port 445 worm.  The pattern 
we observed was penetration from one host (139.62.206.25),
probably via a weak admin password (though that's only
speculation at this point) and then immediate connection to port 
5555 on 216.40.230.53.  Some time later (generally, a few hours), 
the hacked machine would being outbound port 445 scanning.

After we discovered the worm today (sigh) and blocked access to
216.40.230.53, we began to see port 5555 connections to 68.2.96.103.

Is this the sort of thing other folks are seeing?  I haven't had
a chance to go back in our logs and see how long this has been
going on, but I've got a feeling it's rather recent.


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015



More information about the unisog mailing list