New Worm? port 445 spam

Discussion in 'Port Explorer' started by Blackman, Mar 7, 2003.

Thread Status:
Not open for further replies.
  1. Blackman

    Blackman Registered Member

    Joined:
    Feb 28, 2003
    Posts:
    14
    Last night starting at 00:05 EST my router started recieving alot of attempts to connect on port 445(windows 2000/xp nbt) It rejects all of them, but this is the same way the SQL worm attack started. Most domains in the beginning were from .fr(france) and .it(italy).
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Looks like that has been going on for a week or so:

    http://www1.dshield.org/port_report.php?port=445

    Regards,

    Pieter
     
  3. Blackman

    Blackman Registered Member

    Joined:
    Feb 28, 2003
    Posts:
    14
    Thanks Peter! That shows a huge, exponential increase starting on 3-05-2003. Definitely something is out there. Funny, it just starting hitting my ip at 00:05am(gmt -5), exactly the way SQL slammer did. Some enterprising individual has probably added the ip generation scheme to his/her own smb connect worm.

    FanJ added this post on 3-04-2003 http://www.wilderssecurity.com/showthread.php?t=7735
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Another possible cause for hammering port 445:
    http://www.wilderssecurity.com/showthread.php?t=7872

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.