Solved

port 445 always open and sending syn ack packets.

Posted on 2004-09-10
6
1,562 Views
Last Modified: 2012-05-05
dear sir ,
i have a huge network , for about 3000 clients , using xp , win2k , 2003 , 98 , linux etc
all clients using win xp , 2000 , or 2003  are sending many packets using port 445 .
i can see the traffic from my routers
i thought it is the sasser  or the Gaobot , because it attacks on port 445 , i scanned many times with the utility that symantec provides it but nothing found .
is there any solution ?
0
Comment
Question by:skynoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 500 total points
ID: 12025055
Windows XP, 2000, and 2003 use port 445 for SMB (Server Message Blocks)... instead of using NetBIOS over TCP/IP (ports 137-139) for SMB, these operating systems can directly send SMBs over TCP/IP.  The SMB protocol is used for Microsoft File and Printer sharing, so if your network needs it, just leave it.  These packets are OK as long as they are BEHIND your firewall.  SMB's should NEVER be passed onto the Internet as it poses a very high security risk.

If you are not using File and Printer sharing on your network at all, you can disable SMBs:

http://www.uksecurityonline.com/husdg/windows2000/close445.htm

Otherwise, make sure you block port 445 on your firewall (both incoming and outgoing).
0
 

Author Comment

by:skynoc
ID: 12025937
i did this before , but nothing has been changed ,
the virus uses this port to send packets .
but what kind of viruses is this. i scanned for sasser and gaobot ,
because they uses port 445.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027565
It ISN'T a virus - this is NORMAL COMMUNICATION.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:skynoc
ID: 12028002
i followed the link you gave me before , i found that i did that many times before .
many computers are sending millions of packets , my routers track this traffic and they found they are attacking on port 445 and ( 135 to 138 tcp ) and port 139 udp
0
 
LVL 1

Expert Comment

by:Keravi
ID: 12036293
Port 135 on your windows machines could be DCOM and can be turned off using "dcomcnfg.exe" or using a variety of other methods, just google for "disable dcom windows" and check out the myriad of results, one should fit your scenario. Some viruses famous for exploiting this were MSBlast and Lovesan.

You mention that you see an "attack". What is the nature of this attack? How large are the packet sizes? TCP? UDP? Both? Do you have a plain text packet capture log snippet that you can share with us to help diagnose your problem?

You said that you followed the link and "did that many times before". Does this mean that you disabled port 445 as per the suggestion of LimeSMJ and a computer in question was still sending packets out on port 445?

Which side of your router is picking up this traffic? Do you have ingress filters and do they disallow internal IPs from being able to originate from outside your network?

We're going to need more information in order to solve this one.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12043549
Sounds a little out of the ordinary, in that case.
Can you identify a problem machine, and run netstat -an on it ?
Is it spawning excessive 445 connections ?
Something like Stinger would remove Sasser.  I believe Enterprise AV software becomes infected/disabled by Sasser and the likes, so reports everything as normal...

http://vil.nai.com/vil/stinger/
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month5 days, 21 hours left to enroll

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question