At several locations we have seen a significant elevation in scanning on TCP ports 135 AND 445. The scannig machines are scanning both ports, and seem to be doing a semirepeated scan (sometimes attempting multiple tries at the same destination). This looks somewhat like a worm scan or widely distributed scan which is targeting the windows RPC port and is also looking for domain controllers (to attack? To find other targets? To authenticate with other possible targets?) Does anyone have more information on this? Especially anybody with a windows honeypot? -- Nicholas C. Weaver nweaver@cs.berkeley.edu
