Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-11-2010, 07:48 PM   #1
LQ Newbie
Registered: Apr 2010
Posts: 3

Rep: Reputation: 0
Incoming connections on 445

Its been really bugging me that whenever I scan my connection with wireshark I see this one person sending me a SYN packet every minute on port 445. I know this is the dangerous port that the Conficker worm travels along. So far my computer seems to be immune and I know, at least on the Linux side that I can just add a rule to my ip tables to block that port indefinitely. I want to know what the next step is.

00 0c 41 b2 e4 1d 00 11 09 b2 2f 0e 08 00 45 00
00 30 91 84 40 00 80 06 d1 c7 46 4f 86 29 XX XX
XX XX 10 43 01 bd 9e 23 d6 27 00 00 00 00 70 02
ff ff 65 58 00 00 02 04 05 b4 01 01 04 02

This is one of the packet captures I am getting. After sending me this and getting no reply, all of a sudden he goes up an ip. Basically this would be the pseudocode for what it looks like hes doing on my end.

for(int i = 1; i != 255; i++){
send_connection_attempt("XX.XX.XX." + i);

To me this looks like this guy has hijacked a computer and is using it to run a script over. He is still scanning my network as I said earlier, what should I do? Should I contact my ISP? or just nail down the hatches and make sure nothing is exposed on my network?
Old 04-11-2010, 08:09 PM   #2
Registered: Jan 2007
Location: Canton, MI
Distribution: CentOS, SuSE, Red Hat, Debian, etc.
Posts: 703

Rep: Reputation: 99
Port 445 is used by Microsoft file sharing. This is likely a virus or worm
that the other guy isn't aware of. Best thing is to keep your firewall
running and double-check your security settings.

It's a good idea to notify your ISP, although they might not be able to
do much. Ask them if they want to know when there are problems like this.
Old 04-11-2010, 08:39 PM   #3
Senior Member
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
You must be able to see where the connections are coming from, so you can block that ip in iptables, either permanently or using a blacklist. Blocking the port is a bit drastic.

You could rate limit it instead

Also, you can use that incoming ip to find out who is responsible for that net block and send an email to their abuse department. You don't always get a response, but at least you've tried.
Old 04-11-2010, 09:01 PM   #4
LQ Newbie
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
ip tables is fine for linux, but its windows I am worried about. I play games on that OS and my mother also does serious things on her computer too. I really need to build a firewall server one of these days.

But I am curious about how I would go about using their ip and contacting the abuse department you mentioned?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
incoming connections with iptables willyweedle Linux - Networking 2 08-05-2007 02:33 PM
cannot Allowing Incoming X Connections with xhost + libin88 Linux - Enterprise 1 11-09-2005 03:25 PM
Listening for incoming connections vital_101 Mandriva 9 09-20-2005 08:26 PM
restricting incoming connections, using sockets SoulSkorpion Programming 2 10-20-2004 03:15 AM
Sendmail and incoming connections mike_smith Linux - Networking 3 01-19-2004 06:05 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration