Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 759
  • Last Modified:

Port 445 Intrusion attempts on firewall?

I was examining one of my sonicwall firewalls I have installed and noticed some interesting traffic coming through.  Well actually the firewall is stopping it like it is supposed to be doing, but I thought I would post the file and see what some of you think.

I have been tracing IPs this morning with ARIN.net and some of these belong to the hosting ISP, Eschelon/Integra Telecom.  However, pretty much all of the port 445 requests are coming from out of the USA.

The first part of the attached is the ISP for some reason, but almost everything port 445 and up to 33662 looks a bit fishy.

I guess the main question here is since a lot of these are out of the country, and the sonicwall is doing its job (stopping the traffic) should there be a concern?  The server doesn't host anything but internal file access and folder permissions, so no open ports to the outside world.  Also in the event that repeated attempts from the same IP are logged, is there a way to take action on the offender or are they most likely forging their IP or tunneling it through someone else's ISP anyway?
Sonicwall-Log.xls
0
mrjking2000
Asked:
mrjking2000
  • 2
2 Solutions
 
Dave HoweCommented:
445 is the "new" microsoft networking port (it used to be ports 137-139, now its 445)

so it could be harmless - badly configured windows machines on the internet looking for other windows machines to talk to - or deliberate scanning looking for exposed microsoft default shares (most ms machines expose admin$ and c$ by default; in xp and above, when "simple file sharing" is enabled, those are hidden however)
0
 
jahboiteCommented:
It's likely that these are machines infected with conficker/downadup are are looking for more hosts vulnerable to exploits targetting MS08-067.  There's all sorts of information about this worm at http://isc.sans.org/diary.html?storyid=5860 and a particularly full analysis at http://mtc.sri.com/Conficker/ which I'd recommend to anyone concerned about their networks.

It's unlikely that these machines are obfuscating their IP addresses and so you could take action to block repeated attempts to contact port 445,  but certainly some of these IP's will be dynamic and in any event, your firewall is doing its job and there doesn't seem to be a need to start blocking IP's
0
 
Dave HoweCommented:
As a general rule - badly configured windows machines will try to locate peers to do their microsoft networking with, and malicious attackers (either human or automated such as worms) will do likewise. your firewall should block 445 and 137-139 by default, and assuming your firewall is stateful, really inbound connections you should block by default and allow only when you need/want to, rather than the other way about (certainly for ports less than 1025 anyhow)

random ms networking queries and intermittent portscans are part of what is usually referred to as "internet background radiation" - my firewalls get portscanned several times per day, mostly from china, and they will usually sweep the entire IP address range and move on (usually after trying to log into my unix based ftp server a few times as "Administrator" :)
0
 
mrjking2000Author Commented:
Thank you for your input on this!  Sounds like everything is working as planned and the firewall is doing its job.  Thanks for the two links to read also, good information!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now