Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

port 445 always open and sending syn ack packets.

Posted on 2004-09-10
6
Medium Priority
?
1,591 Views
Last Modified: 2012-05-05
dear sir ,
i have a huge network , for about 3000 clients , using xp , win2k , 2003 , 98 , linux etc
all clients using win xp , 2000 , or 2003  are sending many packets using port 445 .
i can see the traffic from my routers
i thought it is the sasser  or the Gaobot , because it attacks on port 445 , i scanned many times with the utility that symantec provides it but nothing found .
is there any solution ?
0
Comment
Question by:skynoc
6 Comments
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 1500 total points
ID: 12025055
Windows XP, 2000, and 2003 use port 445 for SMB (Server Message Blocks)... instead of using NetBIOS over TCP/IP (ports 137-139) for SMB, these operating systems can directly send SMBs over TCP/IP.  The SMB protocol is used for Microsoft File and Printer sharing, so if your network needs it, just leave it.  These packets are OK as long as they are BEHIND your firewall.  SMB's should NEVER be passed onto the Internet as it poses a very high security risk.

If you are not using File and Printer sharing on your network at all, you can disable SMBs:

http://www.uksecurityonline.com/husdg/windows2000/close445.htm

Otherwise, make sure you block port 445 on your firewall (both incoming and outgoing).
0
 

Author Comment

by:skynoc
ID: 12025937
i did this before , but nothing has been changed ,
the virus uses this port to send packets .
but what kind of viruses is this. i scanned for sasser and gaobot ,
because they uses port 445.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027565
It ISN'T a virus - this is NORMAL COMMUNICATION.
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 

Author Comment

by:skynoc
ID: 12028002
i followed the link you gave me before , i found that i did that many times before .
many computers are sending millions of packets , my routers track this traffic and they found they are attacking on port 445 and ( 135 to 138 tcp ) and port 139 udp
0
 
LVL 1

Expert Comment

by:Keravi
ID: 12036293
Port 135 on your windows machines could be DCOM and can be turned off using "dcomcnfg.exe" or using a variety of other methods, just google for "disable dcom windows" and check out the myriad of results, one should fit your scenario. Some viruses famous for exploiting this were MSBlast and Lovesan.

You mention that you see an "attack". What is the nature of this attack? How large are the packet sizes? TCP? UDP? Both? Do you have a plain text packet capture log snippet that you can share with us to help diagnose your problem?

You said that you followed the link and "did that many times before". Does this mean that you disabled port 445 as per the suggestion of LimeSMJ and a computer in question was still sending packets out on port 445?

Which side of your router is picking up this traffic? Do you have ingress filters and do they disallow internal IPs from being able to originate from outside your network?

We're going to need more information in order to solve this one.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12043549
Sounds a little out of the ordinary, in that case.
Can you identify a problem machine, and run netstat -an on it ?
Is it spawning excessive 445 connections ?
Something like Stinger would remove Sasser.  I believe Enterprise AV software becomes infected/disabled by Sasser and the likes, so reports everything as normal...

http://vil.nai.com/vil/stinger/
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question