Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

port 445 -- router logging hundreds of hits a day

0 views
Skip to first unread message

Mark Fleming

unread,
Aug 4, 2003, 4:50:48 PM8/4/03
to
Hey folks,

For the past few weeks I've been getting hundreds upon hundreds of people
trying to connect to me on port 445 on a daily basis.
It's the default File and Printer sharing for Microsoft port

The port is blocked so I'm not worried about it, but was wondering if anyone
else has been noticing these hits on your router?

Anyone else getting these?

Mark


Dragonfly

unread,
Aug 4, 2003, 5:34:38 PM8/4/03
to
doesnt smb broadcast itself out to see if there are any other machines
present? u sure they are coming from outside your network?

that would be the #1 port that would be scanned imo so it doesnt surprise
me.. anyways dont worry about it cause rogers has that port blocked on their
end

its all good


Dave Brodbeck

unread,
Aug 4, 2003, 8:52:16 PM8/4/03
to

"Mark Fleming" <markf...@nospamformeroadrunner.nf.net> wrote in message
news:bgmgv6$aqq$1...@nntp-stjh-01-01.rogers.nf.net...

I get busloads of those hits on a daily basis.

>
> Mark
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.506 / Virus Database: 303 - Release Date: 01/08/2003


Michael Pelley

unread,
Aug 5, 2003, 5:32:53 AM8/5/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Found this on Google:

I remember the Lioten (Iraq_oil) worm, which used port 445 with 100 thread
when doing the scanning and spreading. It used the "guessable users" and
"password dictionary" list, which is similar to the mIRC versions. More
information can be found at
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.html

I have seen close to a dozen ocxdll.exe/taskmngr.exe/task32.exe type of
worm/Trojan variants, and I have compiled a list of files that might
represent worm/Trojan infections. This list is by no mean complete because
new variants come out quite often, and the authors just renamed the files
and spread the worm/Trojan again. You can find the worm/Trojan file list at
http://www.klcconsulting.net/mirc_virus_analysis.htm

There is one version of mIRC variant that included PStor.EXE file. This is
a program to steal username and passwords stored via pstorec.dll, which
include some IE and Web Outlook. PStor.EXE is actually the program
pStoreReader, and you can find the .exe and source code at
http://intex.ath.cx. I first saw this variant in 10/23/2002, and it has
surfaced again.


(Google is your friend)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/L3nFFW7Xii2aqO8RAo2UAKC4jt79vfw88iKitsFwGLbINVm4CwCeNQvH
qmmyXvf2SOaSfE5SW5utNXM=
=oH6T
-----END PGP SIGNATURE-----

0 new messages