Ethereal-users: Re: [Ethereal-users] microsoft-ds [SYN] frames flooding my system
Harrison, Bruce wrote:
I use Ethereal on my Linux routers. At one location, we are flooded,
from several users, with microsoft-ds [SYN] frames going to numerous
ipaddresses outside our systems.
Going *to* addresses outside your systems, or coming *from* addresses
outside your systems?
Most of the outside addresses are black
holes (192.168.128.214, etc).
I think it is part of the Fizzer Worm Virus associated with AOL IM and IRC, but am not sure.
Can anyone shed light on what this microsoft-ds [SYN] is
Well, there's a "services" file on most UN*Xes:
$ egrep 'microsoft-ds' /etc/services
microsoft-ds 445/udp # Microsoft-DS
microsoft-ds 445/tcp # Microsoft-DS
and there's one on Windows, but I'm not sure where it's located, and I
think you'd have to use the "find" command to find "microsoft-ds" in it.
445 is the TCP port number they're trying to connect to; that'd show up
in the Ethereal trace as well, and you don't have to muck around with
text files to find it.
445 is the port number for "SMB-over-TCP", as opposed to
"SMB-over-NetBIOS-over-TCP". If you're getting a flood of them,
especially from addresses outside our site, my guess would be that
they're coming from virus-infected machines trying to break into your
system, as the SMB server in Windows is a service that's running on a
lot of server machines (file and print servers probably run it), *and*
it's probably running on a lot of desktop and laptop machines (machines
exporting "shares" to other machines on the network), so it's a good
"target of opportunity". If you're *sending* a flood of them *to*
machines running outside your site, they might be infected and either
trying to break into other machines or trying to "contact the
mothership" and send stuff to it.
and where I can go to find more information?
You might try Googling for "worm" and "445". A Google for "fizzer worm"
and "445" didn't find anything talking about port 445 and Fizzer, but it
*did* find something talking abou a W32.Deloder worm and port 445:
http://www.cert.org/advisories/CA-2003-08.html