Port 445 Accidenetly?

[blubomber]

I am running Microsoft's ISA server 2000 on windows 2000 server to protect my network. In the security audit log i am getting computers from the internet trying to connect either as Administrator or Guest or something else. Using Ethereal, i can see that they are trying to connect via SMB (Port 445). They are always unsuccessful, but it seems to be happening from different computers.

I can block their IPs at the firewall level so that they cannot get in again. This may be along shot but, could their computers be mistaking my server for another they are trying to connect to? I know this may be a long shot and i think that because i had one workstation last night try to connect as Administrator for about 4 hours.

I am gathering info on the workstations using NeoTrace, nmap, Languard, and ethereal. So i have evidence incase it is an attempt to compromise my network's security.

http://www.petri.co.il/what_is_port_445_in_w2kxp.htm

doesnt look like it is a mistake, looks like someone is trying to brute force there way into your administrator account

i would watch your network closely

[blubomber]

Thanks GZ3, i have been watching it and i have thought the same. I just went through the steps of blocking all incoming traffic on port 445 and i have Ethereal always running.

It is happening so frequently that i am wondering if word is out in the hacker world that there is a windows 2000 server with port 445 open. And people are just trying to see who can get in.

Thanks for the link.

[DVNT1]

Your not alone. Port 445 is one of the top ten probed ports right now (and has been for a while).

http://isc.incidents.org/

&

http://isc.incidents.org/port_details.html?port=445

awsome site DVNT1! thanks!

[ArcticFox]

I'll subscribe to this thread as I'd like to learn more about security (as GZ3 well knows). But indeed, nice links!

[blubomber]

Excelent DVNT1!!!!! Great links.

I was also wondering if anyone might think that my network's IP address has been posted out there somewhere? These attacks on port 445 have only shown up in the last week or so and it seems i had been getting at least one attack a day. they started late at night and i did not have my ethereal running to capture the intruder's IP address. Last night was a major attack for it went on for almost 4 hours.

Do i just need to comb the news groups to see what i can find?

[ArcticFox]

Quote:

Originally posted by blubomber
Do i just need to comb the news groups to see what i can find?

No, just keep posting.

[Droppyale]

Quote:

Originally posted by GroundZero3
awsome site DVNT1! thanks!

Ditto... Thanks

[willy_ph]

They're looking for a computer with open SMB shares so they can exploit your computer. They're most likely searching for computers with a null Administrator password. It's a rather simple exploit to execute (the SMB exploit), so I'd keep the port closed if it isn't needed, as well as securing all networks shares with passwords, etc.

And those who are attempting connect via port 445 clearly aren't accidently connecting to that port. They're intentionally searching out a computer to exploit.