Heavy Port Activity May Indicate Hacker SMB Sniffing

Activity on one of the ports associated with Windows' Server Message Block (SMB) protocol is climbing, security giant Symantec says.

InformationWeek Staff, Contributor

June 17, 2005

1 Min Read
InformationWeek logo in a gray background | InformationWeek

Activity on one of the ports associated with Windows' Server Message Block (SMB) protocol is climbing, security giant Symantec said Friday, an indicator that hackers may be exploring a vulnerability Microsoft disclosed Tuesday.

Symantec's DeepSight network, a global collection of sensors that watch for and track developing threats, has noted a surge in activity targeting TCP port 445, which is associated with SMB-related communications on Windows machines.

"This may indicate an increase in known attacks, such as password brute forcing, or the exploitation of known vulnerabilities, or may indicate activity related to the recent Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability," said the DeepSight team in an advisory.

That vulnerability was one of the 12 patched earlier this week during Microsoft's monthly blast of security bulletins.

Microsoft advised users to block ports 139 and 445 as a temporary workaround until they could patch systems. "Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability," Microsoft said.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights