TCP Port 445
Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003,
and other samba based connections. This is the port that is used to connect file shares for example.
Inbound scans are typically systems which are trying to connect to file
shares that might be available on your system and hence these should be
blocked. While most of this traffic is the result of worms or viruses which
can use open file shares to propagate, they also can be the result of malicious users
attempt to connect to your computer. Once connected they can download,
upload or even delete or edit files on the connected file share. If you use open file shares (including sharing of printers, etc) on your
local network (LAN), then you should be using a firewall such that your local
file shares are not accessible from the internet. Connecting to open file shares is likely the easiest and most common hack on
the internet and yet one of the most effective for malicious activities like
identity theft or installing RATs (Remote Access Trojans) to take control of
systems remotely for example.
Lately TCP Port 445 has become the target of LSASS exploiting worms like
Sasser and Korgo.
Outbound scans if occurring in volume should be considered an indication of a
possible worm infection on the source computer and should be investigated.
If there are systems to which you remotely connect to, then those systems should
be marked as trusted IPs within Link Logger such that future authorized events will
be logged as normal traffic.
Port Peeker capture of Korgo Worm scan and
Port Peeker capture of Sasser Worm scan and
Port Peeker capture - Sample Attack 1
Port Peeker capture - Sample Attack 2
Port Peeker capture - Sample Attack 3
CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
Link Logger inbound scans/attack report for
selected ports from one of our test systems. Here we can see the
effect of the Sasser Worm (May 1st on port 445), Bobax Worm (May 15th on
port 5000) and the Korgo Worm (June 1st on port 445). NOTE the reported system would be typical for high speed home users.
Link Logger unique source IP addresses per
hour for selected ports from one of our test systems. NOTE the reported system would be typical for high speed home users.
Page last updated on
June 29, 2005