A recent surge in port 445 scanning activity could herald impending hack attacks, and industry experts have warned firms to take "immediate steps" to ensure that the affected Windows ports are secure. Gartner pointed to recent reports that security vulnerability sensors have noted an increase in activity on TCP port 445, which is associated with Microsoft's Windows Server Message Block (SMB) protocol. "This port could be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MS05-027), a critical flaw for which Microsoft released a patch on 14 June, " warned John Pescatore, vice president and research fellow at Gartner Research. "The apparent increase in 'sniffing' on port 445 is a serious concern for enterprise security managers because it may indicate an impending mass malicious-code attack." According to Gartner, the rise in port 445 activity may indicate that, in the week since Microsoft released the Windows patch, hackers have reverse-engineered the vulnerability and developed exploit code which could be used to launch a mass attack via the widely used SMB protocol. The analyst firm urged companies to accelerate their efforts to ensure that all Windows systems are patched. If it is not practical immediately to patch systems firms should implement shielding or other "workarounds" until patching is complete. It is also advisable for Windows users to review all firewall policies, including those covering personal firewall software, to ensure that port 445 access is blocked wherever possible. Gartner further advised companies to update all intrusion prevention system filters, both network-based and host-based, to block attempts to exploit this vulnerability. Source: vnunet.com
I've been seeing tons of sweeps and malicious traffic on 445 years now, seems there's always an exploit to be found in SMB/NetBIOS. In all fairness, it's an insecure protocol that should never be Internet-facing to begin with. -AT
