cheyenne1212, if it makes you feel any better, I've been getting pounded with connection requests to port 445 for at least 2 weeks now. I think I'm averaging about 40-50 requests an hour from IP ranges that follow no observable pattern.
Printable View
cheyenne1212, if it makes you feel any better, I've been getting pounded with connection requests to port 445 for at least 2 weeks now. I think I'm averaging about 40-50 requests an hour from IP ranges that follow no observable pattern.
NIS use to that on right way. Nothing to worry. maybe just a random attack.
So, your are under attack thru an 56K line?
plug your pc off the line and Get a six pack :)
Hey chey....I was getting hammered by Bejing last night too....overzealous skiddie??
lol
Not really sure allen, seems like a lot of over zealous Hong Kongers, polanders, and netherlanders, at the rate its going, I'll have shrekkie doing a port scan before long on my pc :p. lol
Its 12:30 a.m here now and it seems like its kinda cleared up, Not getting anymore invalid TCP flags, but am still getting quite a few of invalid destination IP address warnings.
Who knows maybe I have a little virus or trojan, I had some program called QBUPSEX.exe trying to get out on the net last night, but I blocked access to it. probably about time for a adawere, spybot and hijack this scan again.
belive me cacosapo I woudl love to get a six pack but being 1 1/2 years from 21 has its drawbacks. lol
/edit found that program that was trying ot get out last night.
Quote:
This one time, the user has chosen to "block" communications
Outbound TCP connection
Remote address,service is (83.155.104.0,microsoft-ds(445))
Process name is "C:\WINDOWS\System32\uqusex.exe"
Just took at peek remotly at the system @ work tsiled a couple logs a few minutes looks to me like it is maybe a new varation of the what was it Beagle virus email server is getting hit hard and looks like it scans for open ports you listed looking to install the rest of it's self. But I'm tired already a 12 hour day firewall is blocking and the email is also nixing it as spam...nite will look at the logs after some sleep
Thats gotta be what it is, I just now got hit from 5 more different IP's in a matter of 30 seconds.
sorry bout the double post guys but check this out
Thats from a netstat -anQuote:
TCP 127.0.0.1:3535 127.0.0.1:1027 CLOSE_WAIT
TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING
TCP 208.180.47.112:3022 67.19.14.2:6667 ESTABLISHED
TCP 208.180.47.112:3216 207.46.106.30:1863 ESTABLISHED
TCP 208.180.47.112:8877 0.0.0.0:0 LISTENING
TCP 208.180.47.112:10445 35.210.225.1:445 ESTABLISHED
TCP 208.180.47.112:10915 35.198.58.182:445 ESTABLISHED
TCP 208.180.47.112:10917 35.44.167.243:445 ESTABLISHED
TCP 208.180.47.112:11086 211.118.208.22:445 TIME_WAIT
TCP 208.180.47.112:11145 211.118.208.23:445 TIME_WAIT
TCP 208.180.47.112:11146 208.180.47.47:445 SYN_SENT
TCP 208.180.47.112:11147 81.0.119.182:445 SYN_SENT
TCP 208.180.47.112:11148 81.61.71.5:445 SYN_SENT
TCP 208.180.47.112:11149 81.61.221.0:445 SYN_SENT
TCP 208.180.47.112:11150 81.61.94.9:445 SYN_SENT
TCP 208.180.47.112:11152 211.118.49.102:445 SYN_SENT
TCP 208.180.47.112:11153 211.118.208.24:445 TIME_WAIT
TCP 208.180.47.112:11154 81.61.160.204:445 SYN_SENT
TCP 208.180.47.112:11155 81.61.31.139:445 SYN_SENT
TCP 208.180.47.112:11156 81.61.41.22:445 SYN_SENT
TCP 208.180.47.112:11158 208.180.158.162:445 SYN_SENT
TCP 208.180.47.112:11159 81.61.25.159:445 SYN_SENT
TCP 208.180.47.112:11160 31.228.3.171:445 SYN_SENT
TCP 208.180.47.112:11161 211.118.143.241:445 SYN_SENT
TCP 208.180.47.112:11162 208.180.248.11:445 SYN_SENT
TCP 208.180.47.112:11163 208.180.121.68:445 SYN_SENT
TCP 208.180.47.112:11164 182.50.211.75:445 SYN_SENT
TCP 208.180.47.112:11165 81.0.0.42:445 SYN_SENT
TCP 208.180.47.112:11166 81.0.13.129:445 SYN_SENT
TCP 208.180.47.112:11167 197.11.106.253:445 SYN_SENT
TCP 208.180.47.112:11169 25.220.4.170:445 SYN_SENT
TCP 208.180.47.112:11171 112.222.35.182:445 SYN_SENT
TCP 208.180.47.112:11172 27.179.114.12:445 SYN_SENT
TCP 208.180.47.112:11175 29.114.28.87:445 SYN_SENT
TCP 208.180.47.112:11176 143.80.104.35:445 SYN_SENT
TCP 208.180.47.112:11177 157.231.253.108:445 SYN_SENT
TCP 208.180.47.112:11178 34.8.59.79:445 SYN_SENT
TCP 208.180.47.112:11179 204.165.19.241:445 SYN_SENT
TCP 208.180.47.112:11180 143.52.155.102:445 SYN_SENT
TCP 208.180.47.112:11181 123.254.98.233:445 SYN_SENT
TCP 208.180.47.112:11182 141.25.97.158:445 SYN_SENT
TCP 208.180.47.112:11183 203.194.115.104:445 SYN_SENT
TCP 208.180.47.112:11184 133.21.139.253:445 SYN_SENT
TCP 208.180.47.112:11186 117.181.215.248:445 SYN_SENT
TCP 208.180.47.112:11188 185.204.83.1:445 SYN_SENT
TCP 208.180.47.112:11189 93.216.223.240:445 SYN_SENT
TCP 208.180.47.112:11190 211.220.19.148:445 SYN_SENT
TCP 208.180.47.112:11191 52.33.116.119:445 SYN_SENT
TCP 208.180.47.112:11192 94.109.158.112:445 SYN_SENT
TCP 208.180.47.112:11193 70.229.24.190:445 SYN_SENT
TCP 208.180.47.112:11194 130.157.37.189:445 SYN_SENT
TCP 208.180.47.112:11195 113.80.235.125:445 SYN_SENT
TCP 208.180.47.112:11196 56.209.134.230:445 SYN_SENT
TCP 208.180.47.112:11197 111.249.4.80:445 SYN_SENT
TCP 208.180.47.112:11199 191.55.85.188:445 SYN_SENT
TCP 208.180.47.112:11200 116.210.48.143:445 SYN_SENT
Thats a hell of a lot of connections, and the worse part is, that theres anohter 80 IP addresses in ther but on the same port of 445.
wtf is up with that?
Have I been compromised?
If you haven't been compromised, you sure did piss off alotta hackers last meeting :D haha, nah but seriously though.. I think you could very well be being targetted and if not that then I would do a SwatIt scan (http://swatit.org) for trojans, run Ad-aware and Hijackthis (for spyware/adware), update all applications versions, check windows update for any patches you might not have (I know there have been quite a few IE patches lately needed to d/l that mentioned compromising system integrity files), and lookup those ports on google and see what service is running on them. Look into the service, if you need it then download latest version/patches/etc if not needed, turn it off/get rid of it.
From what I've gathered for you about Port 445: It run's Microsoft-DS and can be a default or another port for the following viruses/trojans/worms: Lioten, Randon, WORM_DELODER.A, W32/Deloder.A, W32.HLLW.Deloder, Sasser.
My suggestion: All that I mentioned above, but definitely look into some of those trojans/viruses/worms. Check back with added information.
Yeah I'm about to get a ad-aware scan
spybot
hijack this
swatit
and a different AV scan.
Someithing isn't right somewhere.
I'll let you know if I find something.