[unisog] Distributed port 445 scan or spoof?

Harris, Michael C. HarrisMC at health.missouri.edu
Fri Feb 14 18:07:47 GMT 2003

yes, we have been seeing 445 MS-DS scans from increasing groups of 60 to 200 sources every couple months.  They swing through very quickly all starting within seconds of each other completing a class B in less than 5 minutes.  Each source scans aprox. 200 addresses. but not the usual 1-254 (avoiding the 0 and 255 broadcast addresses which most script kiddies seem to like to hit anyway).   There is some variation I have not been able to figure out yet.

Bill and I have talked to several EDUs seeing same.

oddly enough when sorted both the start time and IP addresses are sequential as if they are slaves or spoofs starting in IP order.

I have two or three sets of sources and times I can share off list if anyone starts a more formal analysis.

Michael C Harris
System Security Analyst - GSEC
ITS / Research Education and Support
University of Missouri Health Center
Phone: 573-882-3392 

harrismc at health.missouri.edu
This e-mail is sent with 99.73% recyclable electrons

-----Original Message-----
From: Pat Wilson [mailto:paw at noh.ucsd.edu]
Sent: Thursday, February 13, 2003 8:44 PM
To: unisog at sans.org
Subject: [unisog] Distributed port 445 scan or spoof?

Hmm.  We're seeing incidents of intense port 445 scanning, either from a
fairly well-coordinated distributed net or from something spoofing one -
lots of ISP IP addresses, for short bursts of activity.

Has anyone else seen this recently?  We normally see 445 scans, but not
from so many different directions at once...  If it _is_ an address
spoofer, any idea how to track it down?


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

More information about the unisog mailing list