port 445 being hit

Discussion in 'other security issues & news' started by wink, Jan 27, 2003.

Thread Status:
Not open for further replies.
  1. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Hi,

    Along the same lines as Snowy's post in this board I have returned to my pc and found my computer has been inundated with failed connections on port 445!

    I have looked if there are any advisories around but only found this preliminary one fron cert.org > http://www.cert.org/current/scanning.html
    I am just wondering if anyone else is experiencing these connection attempts as I am noticing a great drop in performance on my internet connection.

    2 days of port 1434 now port 445 what next :eek:

    Wink
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://ntsecurity.nu/papers/port445/
    http://isc.incidents.org/port_details.html?port=445
    http://www.uksecurityonline.com/husdg/windows2000/close445.htm

    Port 445 is the new samba/windows file sharing port. All windows XP machines listen on port 445. It is similar to port 139, which has been blocked for some time.
    Same on win2000.
    Among others the new listen port 445 is used for Dossing users who did not close it carefully, so your internet effect is part of it. Better close it asap!
     
  3. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Hi Jooske,

    I am ok, it is closed and behind a firewall, just that the volume of traffic seems to be affecting my connection, I am by no means unable to use the internet (obviously as I am here now ;) ) but I have noticed it is being affected.

    Took me 3 attempts to post this thread :)

    Wink
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I wonder if it's part of the attack and if there is some code in the following ports names 1434 - 2295 - 445 or the worm names on them. You might like to monitor the packets with the TDS and save and post or send them in for analysis if it looks interesting.
    I've none till now, fortunately... Maybe i should configure my FW to report all and see what happens then.... But i can't imagine not reporting would change anything in functioning of the system, as the attempts will be there, only not logged.
     
  5. microwiz3

    microwiz3 Registered Member

    Joined:
    Sep 25, 2002
    Posts:
    6
    Location:
    Goshen, IN
    Likewise here, except slightly diff. ports (in order of hits).
    137, 1434, 443,1214,1641(then slightly less) 6588,1243, 80,27374,8080.

    These were continuous from 4:45 am PST until 8:15 am today, now all is quiet! Not even one hit since 8:15 am. Guess they all went to bed!

    The router NAT got them all - so far. Sygate standing by in the background. So far so good.

    I took my weather software offline during the night last night and probably will continue to do so for the near future (usually goes 24/7). :eek: :rolleyes:
     
  6. snowy

    snowy Guest

    WINK

    please consider...the next time you are hit like that shut down and re-boot......don't take chances.....respectfully said.




    Jooske

    I really think you are right on point....the attack is really one and the same....only both ports are involded.....perhaps seperately....but by the same means of attack
     
Loading...
Thread Status:
Not open for further replies.