Hosting Provided By

New CIFS (port 445) worm?

From: David Gillett <gillettdavid(at)fhda.edu>
Date: Tue Dec 17 2002 - 11:30:13 EST

Overnight, I logged 13 connection attempts from random Internet addresses to my machine. 10 of them were to port 445, which is up significantly from a week ago. I'm also seeing lots of probes of this port at other network points.

Yesterday I also had to disconnect two ports on our network because the machines on those ports were probing random Internet addresses on this port -- fast enough that one of our core routers was choking.

My assumption, at this point, is that those two machines (and a bunch more out on the Internet) have been infected with something. The choice of port 445 suggests Win 2000/XP file shares as the infection vector.

Anybody got more information?

David Gillett

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Dec 17 12:32:20 2002

This message: [ Message body ]
Next message: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
Previous message: Julian Young: "Re: Rooted, .haos on system"
In reply to: Damian Gerow: "Re: Rooted, .haos on system"
Next in thread: Zen: "Re: New CIFS (port 445) worm?"
Reply: Zen: "Re: New CIFS (port 445) worm?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT