Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

Port 445
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

TCP Port 445

Common Use

Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003, and other samba based connections.  This is the port that is used to connect file shares for example.

Inbound Traffic

Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked.  While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer.  Once connected they can download, upload or even delete or edit files on the connected file share.  If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.  Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.

Lately TCP Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.  If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.

Additional Information

Port Peeker capture of Korgo Worm scan and infection attempt

Port Peeker capture of Sasser Worm scan and infection attempt

Port Peeker capture - Sample Attack 1

Port Peeker capture - Sample Attack 2

Port Peeker capture - Sample Attack 3

CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares

 

Inbound scans/attacks for selected ports

Link Logger inbound scans/attack report for selected ports from one of our test systems.  Here we can see the effect of the Sasser Worm (May 1st on port 445), Bobax Worm (May 15th on port 5000) and the Korgo Worm (June 1st on port 445).  NOTE the reported system would be typical for high speed home users.

Unique source IP addresses for inbound scans/attacks for selected ports

Link Logger unique source IP addresses per hour for selected ports from one of our test systems.  NOTE the reported system would be typical for high speed home users.

 

Page last updated on June 29, 2005