Solved

port 445 always open and sending syn ack packets.

Posted on 2004-09-10
6
1,550 Views
Last Modified: 2012-05-05
dear sir ,
i have a huge network , for about 3000 clients , using xp , win2k , 2003 , 98 , linux etc
all clients using win xp , 2000 , or 2003  are sending many packets using port 445 .
i can see the traffic from my routers
i thought it is the sasser  or the Gaobot , because it attacks on port 445 , i scanned many times with the utility that symantec provides it but nothing found .
is there any solution ?
0
Comment
Question by:skynoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 500 total points
ID: 12025055
Windows XP, 2000, and 2003 use port 445 for SMB (Server Message Blocks)... instead of using NetBIOS over TCP/IP (ports 137-139) for SMB, these operating systems can directly send SMBs over TCP/IP.  The SMB protocol is used for Microsoft File and Printer sharing, so if your network needs it, just leave it.  These packets are OK as long as they are BEHIND your firewall.  SMB's should NEVER be passed onto the Internet as it poses a very high security risk.

If you are not using File and Printer sharing on your network at all, you can disable SMBs:

http://www.uksecurityonline.com/husdg/windows2000/close445.htm

Otherwise, make sure you block port 445 on your firewall (both incoming and outgoing).
0
 

Author Comment

by:skynoc
ID: 12025937
i did this before , but nothing has been changed ,
the virus uses this port to send packets .
but what kind of viruses is this. i scanned for sasser and gaobot ,
because they uses port 445.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027565
It ISN'T a virus - this is NORMAL COMMUNICATION.
0
Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

 

Author Comment

by:skynoc
ID: 12028002
i followed the link you gave me before , i found that i did that many times before .
many computers are sending millions of packets , my routers track this traffic and they found they are attacking on port 445 and ( 135 to 138 tcp ) and port 139 udp
0
 
LVL 1

Expert Comment

by:Keravi
ID: 12036293
Port 135 on your windows machines could be DCOM and can be turned off using "dcomcnfg.exe" or using a variety of other methods, just google for "disable dcom windows" and check out the myriad of results, one should fit your scenario. Some viruses famous for exploiting this were MSBlast and Lovesan.

You mention that you see an "attack". What is the nature of this attack? How large are the packet sizes? TCP? UDP? Both? Do you have a plain text packet capture log snippet that you can share with us to help diagnose your problem?

You said that you followed the link and "did that many times before". Does this mean that you disabled port 445 as per the suggestion of LimeSMJ and a computer in question was still sending packets out on port 445?

Which side of your router is picking up this traffic? Do you have ingress filters and do they disallow internal IPs from being able to originate from outside your network?

We're going to need more information in order to solve this one.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12043549
Sounds a little out of the ordinary, in that case.
Can you identify a problem machine, and run netstat -an on it ?
Is it spawning excessive 445 connections ?
Something like Stinger would remove Sasser.  I believe Enterprise AV software becomes infected/disabled by Sasser and the likes, so reports everything as normal...

http://vil.nai.com/vil/stinger/
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PEN and Issuance policy for 2 tier Windows 2012 PKI 3 84
exchange 2010 Dag failed 3 67
How can i protect my data from ransomware 12 109
bitlocker admin and monitoring 2 43
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question