Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

port 445 always open and sending syn ack packets.

Posted on 2004-09-10
6
Medium Priority
?
1,572 Views
Last Modified: 2012-05-05
dear sir ,
i have a huge network , for about 3000 clients , using xp , win2k , 2003 , 98 , linux etc
all clients using win xp , 2000 , or 2003  are sending many packets using port 445 .
i can see the traffic from my routers
i thought it is the sasser  or the Gaobot , because it attacks on port 445 , i scanned many times with the utility that symantec provides it but nothing found .
is there any solution ?
0
Comment
Question by:skynoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 1500 total points
ID: 12025055
Windows XP, 2000, and 2003 use port 445 for SMB (Server Message Blocks)... instead of using NetBIOS over TCP/IP (ports 137-139) for SMB, these operating systems can directly send SMBs over TCP/IP.  The SMB protocol is used for Microsoft File and Printer sharing, so if your network needs it, just leave it.  These packets are OK as long as they are BEHIND your firewall.  SMB's should NEVER be passed onto the Internet as it poses a very high security risk.

If you are not using File and Printer sharing on your network at all, you can disable SMBs:

http://www.uksecurityonline.com/husdg/windows2000/close445.htm

Otherwise, make sure you block port 445 on your firewall (both incoming and outgoing).
0
 

Author Comment

by:skynoc
ID: 12025937
i did this before , but nothing has been changed ,
the virus uses this port to send packets .
but what kind of viruses is this. i scanned for sasser and gaobot ,
because they uses port 445.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027565
It ISN'T a virus - this is NORMAL COMMUNICATION.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:skynoc
ID: 12028002
i followed the link you gave me before , i found that i did that many times before .
many computers are sending millions of packets , my routers track this traffic and they found they are attacking on port 445 and ( 135 to 138 tcp ) and port 139 udp
0
 
LVL 1

Expert Comment

by:Keravi
ID: 12036293
Port 135 on your windows machines could be DCOM and can be turned off using "dcomcnfg.exe" or using a variety of other methods, just google for "disable dcom windows" and check out the myriad of results, one should fit your scenario. Some viruses famous for exploiting this were MSBlast and Lovesan.

You mention that you see an "attack". What is the nature of this attack? How large are the packet sizes? TCP? UDP? Both? Do you have a plain text packet capture log snippet that you can share with us to help diagnose your problem?

You said that you followed the link and "did that many times before". Does this mean that you disabled port 445 as per the suggestion of LimeSMJ and a computer in question was still sending packets out on port 445?

Which side of your router is picking up this traffic? Do you have ingress filters and do they disallow internal IPs from being able to originate from outside your network?

We're going to need more information in order to solve this one.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12043549
Sounds a little out of the ordinary, in that case.
Can you identify a problem machine, and run netstat -an on it ?
Is it spawning excessive 445 connections ?
Something like Stinger would remove Sasser.  I believe Enterprise AV software becomes infected/disabled by Sasser and the likes, so reports everything as normal...

http://vil.nai.com/vil/stinger/
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
What we learned in Webroot's webinar on multi-vector protection.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question