Does anyone show port 135 and 445 showing in their Linksys Log files?

My configuration:

I just got DSL installed by SBC - Business class, 5 static IPs. Using
netopia cayman series gateway connected to my Linksys Router. The
netopia has a assigned public IP address with DHCP and NAT diabled. I
have a linksys router connected to my LAN for DHCP and NAT. My clients
are all being served a private IP (192.168.x.x) fine and can all surf
the web, no probs here.

I set my Linksys log sites and the Incoming logs to one of my clients
(192.168.1.100), but I keep getting many entries from different sites
for port 135 and 445. Questions:

1. Is simply saying the that log were sent to the 192.168.1.100 machine
on those ports (i.1. 135, 445 - recall that linksys requires that a
loglinker program run on the client). Or were those site making
requests to my computer on thos ports?
My software firewall on the client does not show any attempts?

The NAT on the Router blocks most activity.  The activity is looking for "peers".  As always
I suggest blocking TCP and UDP ports 135 ~ 139 and 445 on any Router.  On many Linksys
models the URL is - http://192.168.1.1/Filters.htm  I don't know what software you are using
to log the Router activity but I highly suggest WallWatcher -- http://www.wallwatcher.com/
This is what I use and I have logged 100's of thousands of port 445 "hits" on the WAN
address of my Router per month.

As for port 445 logging.  It may be Internet worm activity.  Here are some well known
I-worms that use port 445 for their infection mode.  ( It is by no means a complete list )

W32/Lioten.worm - http://vil.nai.com/vil/content/v_99897.htm
W32/Deloder.worm - http://vil.nai.com/vil/content/v_100127.htm
W32/Slanper.worm - http://vil.nai.com/vil/content/v_100445.htm
W32/Stinbot.worm.b - http://vil.nai.com/vil/content/v_100736.htm
W32/Eslac.worm - http://vil.nai.com/vil/content/v_99970.htm
W32/Sluter.worm - http://vil.nai.com/vil/content/v_100443.htm
W32/Randon.worm.p - http://vil.nai.com/vil/content/v_100628.htm

-- 
Dave




<jrivera@coffeechemistry.com> wrote in message
news:1104965714.829955.70160@z14g2000cwz.googlegroups.com...
| Does anyone show port 135 and 445 showing in their Linksys Log files?
|
| My configuration:
|
| I just got DSL installed by SBC - Business class, 5 static IPs. Using
| netopia cayman series gateway connected to my Linksys Router. The
| netopia has a assigned public IP address with DHCP and NAT diabled. I
| have a linksys router connected to my LAN for DHCP and NAT. My clients
| are all being served a private IP (192.168.x.x) fine and can all surf
| the web, no probs here.
|
| I set my Linksys log sites and the Incoming logs to one of my clients
| (192.168.1.100), but I keep getting many entries from different sites
| for port 135 and 445. Questions:
|
| 1. Is simply saying the that log were sent to the 192.168.1.100 machine
| on those ports (i.1. 135, 445 - recall that linksys requires that a
| loglinker program run on the client). Or were those site making
| requests to my computer on thos ports?
| My software firewall on the client does not show any attempts?
|

"jrivera@coffeechemistry.com" <jrivera@coffeechemistry.com> writes:

>Does anyone show port 135 and 445 showing in their Linksys Log files?

Not me.  But then I don't have a Linksys.

>My configuration:

>I just got DSL installed by SBC - Business class, 5 static IPs. Using
>netopia cayman series gateway connected to my Linksys Router. The
>netopia has a assigned public IP address with DHCP and NAT diabled. I
>have a linksys router connected to my LAN for DHCP and NAT. My clients
>are all being served a private IP (192.168.x.x) fine and can all surf
>the web, no probs here.

The chances are that your system is being constantly attacked by
windows worms/viruses that are searching for exploitable software
on ports 135 and 445.

AFAIK, SBC blocks these ports for dynamic users.  Since you have
static IPs you get to block them yourself.  It sounds as if your
linksys is handling the blocking and logging the attempts.