General discussion

Locked

TCP 445 and 139

By stahler ·
I have alot of traffic over those ports from various machines. Machines have been patched and have Norton AV. Ran the welchia and blaster fixes from Norton. Ran the stinger from McAfee. Ran Norton in safe mode. Nothing finds a virus. Also checked the registry and services. Nothing seems to work. Any suggestions???

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by stahler In reply to TCP 445 and 139

I can see the computers searching for new ones like SOURCE 10.10.1.10 Destination 10.10.100.1
Source 10.10.1.10 Destination 10.10.100.2 and so on.

Collapse -

by jschein In reply to TCP 445 and 139

Base on my experience, it seems like a DDoS worm/Trojan is spreading via
port 445, which is the Microsoft Windows 2000 & XP "SMB over TCP" port.
Most of these type of worm/Trojan will look for open port 445, and use the
guessable "users list" with "password dictionary" within the worm/Trojan
files and try to compromise the systems. Guessable users are usually like
"administrator", "admin", "test", "guest", "root", and etc...

This type of worm/Trojan spread by scanning random IPs and started guessing
the user and password combinations; therefore, if you are a target, you will
see several attempts from the attackers in a short period of time. If you
are compromised, this worm/Trojan can spread very quickly.

I analyzed the original mIRC (port 445) worm/Trojan back in Sept. 2002, and
it can be found at http://www.klcconsulting.net/mirc_virus_analysis.htm.
There has been several variants, and simplified version of worm like
Iraq_Oil.

The only good defense is to block port 445 and port 139 ports on your
firewall, and set strong passwords for every user on your network, including
administrator accounts.


Also, port 139 is associated with the Qaz worm and bugbear. I am sure there are others I have missed. If this is happening inside your network, someone is infected. Check you logs to see which pc is initiating the scan. locke them down, the virus / trojan is there. Remember, some virii programs do not detect any or some trojans...

Run adaware on these pc's as adaware has been know to get rid of backdoor trojans as such.

Good luck

Collapse -

by jschein In reply to

Ok then... also do answer # 3 ... This will remove the virii that propegate on ports 135 & 139.

Collapse -

by stahler In reply to

Poster rated this answer.

Collapse -

by Steven Rosson In reply to TCP 445 and 139

Port 139 is a NetBIOS port that is used for file and printer sharing. Make sure file and printer sharing are disabled. Port 445 is for Microsoft Directory Services. Visit http://grc.com/port_137.htm for detailed information about both ports. Too, http://grc.com/port_445.htm further explains port 445.

Collapse -

by stahler In reply to

Poster rated this answer.

Collapse -

by stahler In reply to TCP 445 and 139

It was PORT 135. Sorry about that. I think the trojan is the right direction but I am at a loss. I am about to start formatting infected machines!

Collapse -

by s.u.n In reply to TCP 445 and 139

Download Stinger from:
http://vil.nai.com/vil/stinger

Maybe your AV may not be functioning properly.

Also do an ipconfig /all and paste it here.
There could be a problem with DNS etc.
Check the default routes also.

Collapse -

by stahler In reply to

Poster rated this answer.

Collapse -

by stahler In reply to TCP 445 and 139

This question was closed by the author

Back to Windows Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums