how-to block ads
|
 
Mark
Premium
join:2001-11-15
Mesa, AZ
| SMB Service - Port 445 The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445. | |
| | 
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| Re: SMB Service - Port 445 Deloader worm and update on tcp/445:
»www.mynetwatchman.com/kb/securit···/445.htm
TCP port 445 is used for *direct* Microsoft Networking access. More specifically, it enables direct TCP/IP access to Microsoft Networking functions WITHOUT the need for a Netbios layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2000 and XP).
Hosts which are generating port probing to this port are usually worm infected. The most recent worm released with this pattern is the W32.Deloader worm (see Below). Most anti-virus vendors didn't release anti-virus definitions for 2-3 days after the worm appeared, causing even anti-virus protected systems from being infected.
Additionally, because Deloader uses a much more extensive password list in it's password crack routine we are seeing it being more prolific than earlier worms using this same technique. We are also seeing firewall-protected networks becoming infected as a result of mobile laptops, AOL connections, and other VPN connections in much the same manner as the Opaserv worm, see: udp/137
This port is also a common target for Warez hackers who seek to turn your PC into a public file server. If anti-virus scans don't find a problem, you'll have to do a manual forensic analysis to identify possible Pubstro compromise as show here: mNW Pubstro Analysis Guide
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch | |
| 
Krispy
Premium,VIP
join:2001-12-11
the stix
| Windows Null Sessions Exploit and the IraqiWorm If this port is open you are also potentially vulnerable to the Windows Null Sessions Exploit and the IraqiWorm. Many machines vulnerable to this exploit are used as zombies in denial of service attacks.
For more information on the IraqiWorm (aka Iraqi_oil ) visit...
»www.mynetwatchman.com/kb/securit···ndex.htm
For information on disabling Windows Null Sessions visit...
»www.brown.edu/Facilities/CIS/CIR···ull.html | |
| 
rtcpenguin
Premium
join:2001-01-21
Fairfax, VA | Yeah Im a big fan of this port. | |
| Cleophus
join:2004-03-04
V6E-1L3
| Close 445 in Registry I was reading of a registry tweak that can shut port 445 by disabling NetBT. Seems to do the trick, but I've not yet figured out the down side completely.
HKLM/System/CurrentControlSet/Services/NetBT/Parameter
Give 'TransportBindName' nil value by deleting '/Device'
I'm on XP, can't vouch for it on any other OS. | |
| | moparman77
join:2003-11-02
London, ON | Re: Close 445 in Registry Is it not possible to simply stop the service in Windows 2000? Under services (in the administrative tools), there is one called TCP/IP Netbios Helper Service, if you change that to disabled, will that do it?
Shaun | |
| | moparman77
join:2003-11-02
London, ON
| Actually.. just a little note here.. but along the same lines. I have a little laptop (old) running windows 98SE (that's all it'll handle), and I couldn't see it with the two win2000 machines, nor could it see the rest of the network. Then after thinking about this topic, it struck me. Windows 98SE cannot use Netbios over TCP/IP, so I installed the Netbios protocol on the win2000 machines and all is well... | |
| | | |
|
