<<< Date Index >>>     <<< Thread Index >>>

Elevated scanning: TCP port 135 (RPC) AND 445 (Domain Services)



        At several locations we have seen a significant elevation in
scanning on TCP ports 135 AND 445.  The scannig machines are scanning
both ports, and seem to be doing a semirepeated scan (sometimes
attempting multiple tries at the same destination).

        This looks somewhat like a worm scan or widely distributed
scan which is targeting the windows RPC port and is also looking for
domain controllers (to attack?  To find other targets?  To
authenticate with other possible targets?)

        Does anyone have more information on this?

        Especially anybody with a windows honeypot?

-- 
Nicholas C. Weaver                                 nweaver@xxxxxxxxxxxxxxx