port 445 worm
paw at noh.ucsd.edu
Sat Sep 7 04:28:41 GMT 2002
Haven't captured anything yet, but have seen evidence yesterday
and today (Sep 5 and 6) of a Microsoft port 445 worm. The pattern
we observed was penetration from one host (18.104.22.168),
probably via a weak admin password (though that's only
speculation at this point) and then immediate connection to port
5555 on 22.214.171.124. Some time later (generally, a few hours),
the hacked machine would being outbound port 445 scanning.
After we discovered the worm today (sigh) and blocked access to
126.96.36.199, we began to see port 5555 connections to 188.8.131.52.
Is this the sort of thing other folks are seeing? I haven't had
a chance to go back in our logs and see how long this has been
going on, but I've got a feeling it's rather recent.
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
More information about the unisog