Sasser ports

  • Thread starter Thread starter John
  • Start date Start date
J

John

Sasser scans on port 445. I've also read some sources that
claim it scans on different ports:
139
(http://www.microsoft.com/technet/Security/alerts/sasser.mspx
under PREVENTION), 1025+ (can't find the link anymore), or
1068+ (http://vil.nai.com/vil/content/v_125007.htm under
Symptoms)

Only 445 has come up consistently though (excluding 5554
and 9996 of course). Then there's a trojan that scans
137-139 and 445
http://www.sarc.com/avcenter/venc/data/hacktool.lsasssba.html
but I'm not sure if this is the same as the sasser worm. So
what ports for sure besides 445 is sasser using?
 
John said:
Sasser scans on port 445. I've also read some sources that
claim it scans on different ports:
139
(http://www.microsoft.com/technet/Security/alerts/sasser.mspx
under PREVENTION), 1025+ (can't find the link anymore), or
1068+ (http://vil.nai.com/vil/content/v_125007.htm under
Symptoms)

Only 445 has come up consistently though (excluding 5554
and 9996 of course). Then there's a trojan that scans
137-139 and 445
http://www.sarc.com/avcenter/venc/data/hacktool.lsasssba.html
but I'm not sure if this is the same as the sasser worm. So
what ports for sure besides 445 is sasser using?
Click to expand...

Connects to destination port 445
Starts an FTP server listening on port 5554
Runs a remote shell on port 9996

AFAIK 139 is not used at all.

Andy.
 
Connects to destination port 445
Starts an FTP server listening on port 5554
Runs a remote shell on port 9996

AFAIK 139 is not used at all.
Click to expand...

Do note that different variants of Sasser may use different port numbers.
 
Back
Top