Void's Forums

[worker201]

Those graphs are insane. I can't believe how many Australians put up with that kind of thing.

Wouldn't it be smarter to mess with a different port? I mean, something like 80 or 21 is way more likely to be left open, even when firewalls are in place. I would think that attack-children would go for something that would increase their chance of access. But perhaps I'm not understanding the purpose or mechanincs of such an attack.

This has gone somewhat off-topic, but I think it would be instructive to many people to know exactly what goes on, and how we can better protect ourselves (aside from simply installing Linux or setting up firewalls).

[ZiaTioN]

A port itself is merely a gateway. It is not the port itself that is a target but the service listening on that port. That is where the vulnerabilities are discovered at and that is the point of exploitation. The specific port is attacked because that is the known standard port that the vulnerable service runs on. If it were an SSH vulnerability the probed port would be 22. If it was a Microcrap IIS exploit the probed port would be 80, and so on.

[Void Main]

ZiaTioN is correct, and not only that this is a virus doing the probing, not some skr1pt kiddie. It's all automated and it is happening on innocent people's Windows machines without even knowing it's happening (except it will slow their network down considerably). An infected machine will scan entire blocks of IP addresses on port 445. If an unpatched Windows system is found it automatically exploits the vulnerability and installs a copy of itself on that machine and begins to probe other blocks of IP addresses, and round and round she goes. It really eats up a significant amount of bandwidth. Like I said, we can have one infected machine at a remote branch that will hog up the entire WAN pipe between the branch and the home office.