port 445 always open and sending syn ack packets.

dear sir ,
i have a huge network , for about 3000 clients , using xp , win2k , 2003 , 98 , linux etc
all clients using win xp , 2000 , or 2003  are sending many packets using port 445 .
i can see the traffic from my routers
i thought it is the sasser  or the Gaobot , because it attacks on port 445 , i scanned many times with the utility that symantec provides it but nothing found .
is there any solution ?
skynocAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
LimeSMJConnect With a Mentor Commented:
Windows XP, 2000, and 2003 use port 445 for SMB (Server Message Blocks)... instead of using NetBIOS over TCP/IP (ports 137-139) for SMB, these operating systems can directly send SMBs over TCP/IP.  The SMB protocol is used for Microsoft File and Printer sharing, so if your network needs it, just leave it.  These packets are OK as long as they are BEHIND your firewall.  SMB's should NEVER be passed onto the Internet as it poses a very high security risk.

If you are not using File and Printer sharing on your network at all, you can disable SMBs:

http://www.uksecurityonline.com/husdg/windows2000/close445.htm

Otherwise, make sure you block port 445 on your firewall (both incoming and outgoing).
0
 
skynocAuthor Commented:
i did this before , but nothing has been changed ,
the virus uses this port to send packets .
but what kind of viruses is this. i scanned for sasser and gaobot ,
because they uses port 445.
0
 
Tim HolmanCommented:
It ISN'T a virus - this is NORMAL COMMUNICATION.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
skynocAuthor Commented:
i followed the link you gave me before , i found that i did that many times before .
many computers are sending millions of packets , my routers track this traffic and they found they are attacking on port 445 and ( 135 to 138 tcp ) and port 139 udp
0
 
KeraviCommented:
Port 135 on your windows machines could be DCOM and can be turned off using "dcomcnfg.exe" or using a variety of other methods, just google for "disable dcom windows" and check out the myriad of results, one should fit your scenario. Some viruses famous for exploiting this were MSBlast and Lovesan.

You mention that you see an "attack". What is the nature of this attack? How large are the packet sizes? TCP? UDP? Both? Do you have a plain text packet capture log snippet that you can share with us to help diagnose your problem?

You said that you followed the link and "did that many times before". Does this mean that you disabled port 445 as per the suggestion of LimeSMJ and a computer in question was still sending packets out on port 445?

Which side of your router is picking up this traffic? Do you have ingress filters and do they disallow internal IPs from being able to originate from outside your network?

We're going to need more information in order to solve this one.
0
 
Tim HolmanCommented:
Sounds a little out of the ordinary, in that case.
Can you identify a problem machine, and run netstat -an on it ?
Is it spawning excessive 445 connections ?
Something like Stinger would remove Sasser.  I believe Enterprise AV software becomes infected/disabled by Sasser and the likes, so reports everything as normal...

http://vil.nai.com/vil/stinger/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.