Ethereal-users: Re: [Ethereal-users] Newbie in a jam
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Steven Masters <Steven.Masters@xxxxxxxxxxxx>
Date: Tue, 28 Feb 2006 18:18:21 -0500
Port 445 is used by many viruses as shown in the bottom box. Make sure your machines are all patched for these. The welchia and sasser was very well known to be a virus doing this. If infected and then patched you still need to remove those viruses with special tools. Google it. I don't know if I would deny port 445 but maybe log it instead. You don't know what else you might break behind the router if you do. By logging you can still see what IP is causing the problem. FYI here is the web site for this port info. I have found it very helpful. http://www.sonomawireless.com/~ports/port400-499.html 445 tcp/udp microsoft-ds Microsoft-DS 445 tcp # W32.HLLW.Gaobot, W32.HLLW.Lioten, W32.HLLW.Deloder, W32.Slackor, W32.HLLW.Nebiwo, W32.HLLW.Moega, W32.HLLW.Deborms, W32.Yaha, Randex, W32.Bolgi.Worm,W32.Cissi, W32.Welchia, W32.HLLW.Polybot, W32.Sasser, W32.Cycle, W32.Bobax, W32.Kibuv.Worm, W32.Korgo, W32.Explet, Otinet, W32.Scane, W32.Aizu Rtkit, W32.Spybot, W32.Janx, Netdepix, W32.Wallz, W32.Mytob, W32.Ifbo, W32.Reatle, W32.Zotob, Secefa, W32.Kiman Steve Masters Network Analyst, Senior (w) 717-240-5561 (c) 717-385-4829 steven.masters@xxxxxxxxxxxx The reason I like standards is there are so many to choose from. Sake Blok <sake@xxxxxxxxxx> Sent by: To ethereal-users-bo Ethereal user support unces@xxxxxxxxxxx <ethereal-users@xxxxxxxxxxxx> m cc Subject 02/28/2006 05:25 Re: [Ethereal-users] Newbie in a PM jam Please respond to Ethereal user support <ethereal-users@e thereal.com> On Tue, Feb 28, 2006 at 01:49:26PM -0800, Jason Hernandez wrote: > Thanks! Here is the sample line of the log that was sent to me. I replaced > the IP with X's. The first set of X's is the IP of my router and the other > set is the IP it's scanning. > > 2|Feb 20 2006 14:33:10|106001: Inbound TCP connection denied from > X.X.X.X/13331 to X.X.X.X/445 flags SYN on interface outside If you have access to the router on your end of the ISP connection, I would configure an accesslist on it to block tcp-port 445, that will keep your ISP happy. If you enable logging on that access-list you will also be informed about the ip-address of the workstation that is initiating these sessions. If you don't have access to you router, I would put the ethereal PC on a port of the hub/switch that the router is connected to. If it is a hub, start up ethereal and select a capture filter of "port 445". That will show you which workstations are involved. If it is a switch, you will need to configure a monitor-port. If you don't know how to do that, you might want to contact your switch reseller to assist you with that (of have a look at the friendly manual that came with it :)) I hope this helps... Cheers, Sake _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users
- References:
- Re: [Ethereal-users] Newbie in a jam
- From: Sake Blok
- Re: [Ethereal-users] Newbie in a jam
- Prev by Date: Re: [Ethereal-users] Newbie in a jam
- Next by Date: RE: [Ethereal-users] Newbie in a jam
- Previous by thread: Re: [Ethereal-users] Newbie in a jam
- Next by thread: Re: [Ethereal-users] Newbie in a jam
- Index(es):