Port 445 Intrusion attempts on firewall?

Posted on 2009-02-14
Last Modified: 2013-11-16
I was examining one of my sonicwall firewalls I have installed and noticed some interesting traffic coming through.  Well actually the firewall is stopping it like it is supposed to be doing, but I thought I would post the file and see what some of you think.

I have been tracing IPs this morning with and some of these belong to the hosting ISP, Eschelon/Integra Telecom.  However, pretty much all of the port 445 requests are coming from out of the USA.

The first part of the attached is the ISP for some reason, but almost everything port 445 and up to 33662 looks a bit fishy.

I guess the main question here is since a lot of these are out of the country, and the sonicwall is doing its job (stopping the traffic) should there be a concern?  The server doesn't host anything but internal file access and folder permissions, so no open ports to the outside world.  Also in the event that repeated attempts from the same IP are logged, is there a way to take action on the offender or are they most likely forging their IP or tunneling it through someone else's ISP anyway?
Question by:mrjking2000
    LVL 33

    Accepted Solution

    445 is the "new" microsoft networking port (it used to be ports 137-139, now its 445)

    so it could be harmless - badly configured windows machines on the internet looking for other windows machines to talk to - or deliberate scanning looking for exposed microsoft default shares (most ms machines expose admin$ and c$ by default; in xp and above, when "simple file sharing" is enabled, those are hidden however)
    LVL 12

    Assisted Solution

    It's likely that these are machines infected with conficker/downadup are are looking for more hosts vulnerable to exploits targetting MS08-067.  There's all sorts of information about this worm at and a particularly full analysis at which I'd recommend to anyone concerned about their networks.

    It's unlikely that these machines are obfuscating their IP addresses and so you could take action to block repeated attempts to contact port 445,  but certainly some of these IP's will be dynamic and in any event, your firewall is doing its job and there doesn't seem to be a need to start blocking IP's
    LVL 33

    Expert Comment

    by:Dave Howe
    As a general rule - badly configured windows machines will try to locate peers to do their microsoft networking with, and malicious attackers (either human or automated such as worms) will do likewise. your firewall should block 445 and 137-139 by default, and assuming your firewall is stateful, really inbound connections you should block by default and allow only when you need/want to, rather than the other way about (certainly for ports less than 1025 anyhow)

    random ms networking queries and intermittent portscans are part of what is usually referred to as "internet background radiation" - my firewalls get portscanned several times per day, mostly from china, and they will usually sweep the entire IP address range and move on (usually after trying to log into my unix based ftp server a few times as "Administrator" :)
    LVL 1

    Author Closing Comment

    Thank you for your input on this!  Sounds like everything is working as planned and the firewall is doing its job.  Thanks for the two links to read also, good information!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now