lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1063698931.5683.12.camel@cygnus>
From: full-disclosure at szczepanek.de (Torge Szczepanek)
Subject: New worm on port 445 ?

Hi!

I am receiving some amount of traffic on Port 445. Is this a new worm
using the new discovered RPC-DCOM 039 issue or some other rather old
stuff?!? Anybody seen this too?

09:42:21.663609 x.y.21.z.1825 > 142.160.144.11.445: S
821570346:821570346(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:21.965317 x.y.21.z.1827 > 142.160.144.12.445: S
821737415:821737415(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:22.770055 x.y.21.z.1829 > 142.160.144.13.445: S
822039122:822039122(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:23.277790 x.y.21.z.1831 > 142.160.144.14.445: S
822992385:822992385(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:23.768451 x.y.34.z.3313 > 61.1.233.234.445: S
2522939543:2522939543(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:23.868584 x.y.34.z.3311 > 61.1.233.233.445: S
2521375962:2521375962(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:24.123001 x.y.34.z.3315 > 61.1.233.235.445: S
2523847096:2523847096(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:24.242447 x.y.34.z.3317 > 61.1.233.236.445: S
2523956316:2523956316(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:24.687108 x.y.21.z.1833 > 142.160.144.15.445: S
823437284:823437284(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:25.316677 x.y.34.z.3319 > 61.1.233.237.445: S
2524334266:2524334266(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:25.686965 x.y.21.z.1819 > 142.160.144.8.445: S
820773285:820773285(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:25.878556 x.y.34.z.3321 > 61.1.233.238.445: S
2524583492:2524583492(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.290585 x.y.21.z.1831 > 142.160.144.14.445: S
822992385:822992385(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.491632 x.y.21.z.1821 > 142.160.144.9.445: S
821065804:821065804(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.592166 x.y.21.z.1823 > 142.160.144.10.445: S
821179393:821179393(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:26.707247 x.y.34.z.3323 > 61.1.233.239.445: S
2524895980:2524895980(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.074483 x.y.34.z.3315 > 61.1.233.235.445: S
2523847096:2523847096(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.174529 x.y.34.z.3317 > 61.1.233.236.445: S
2523956316:2523956316(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.698642 x.y.21.z.1833 > 142.160.144.15.445: S
823437284:823437284(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:27.698669 x.y.21.z.1825 > 142.160.144.11.445: S
821570346:821570346(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
09:42:28.000360 x.y.21.z.1827 > 142.160.144.12.445: S
821737415:821737415(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)

-- 
Torge Szczepanek <full-disclosure@...zepanek.de>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ