Threat Level: green Handler on Duty: Tom Webb

SANS ISC: What's up with port 445? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up with port 445?

Looking at the DSHIELD data for the port 445 Shows an interesting little trend.   Reports showing 445 as the target port is down.  Something that is also observed by some readers in their various darknets. 

Ports showing 445 as the source however is way up.  If you are seeing this or have some packets, please send them through.  For the packets, I'm interested especially in the source port 445 traffic. 

Mark H

Update

Quite  number of people have reported a similar drop in their stats for 445 as the target port, but no real explanations just yet.  Likely to be confiker related, but that's speculation at the moment. 


 

Mark

391 Posts
ISC Handler
Hello World!

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system.


Useful Links:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

http://download.sysinternals.com/Files/TcpView.zip
Anonymous
Looks like the same rise in port 445 sources happened almost exactly a year ago. I'd check for previous years, but I don't want to taunt the poor little app.
Ron

4 Posts
Not seeing the same thing last year, but willing to be wrong. Which dates did you use?
Mark

391 Posts
ISC Handler
Hmm.. All I did was change the start year to 2008, and hit submit (start/end dates become Feb 5 2008 - Mar 7 2009). It shows a similar ramp-up and sudden drop.
Looking at it again, and playing around with the dates a bit more, the ramp disappears. Probably an artifact of the sample rate. Sorry for the false alarm.
Ron

4 Posts
my #1 destination port across all my firewalls (multiple class C's) is by FAR tcp 445. i have yet to capture some of traffic, but the sources appear to be coming from all over. i have been waiting for someone else to see this spike. :)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!