(The horse is dead and starting to decompose, but I stubbornly keep beating it for some reason I have yet to figure out.) "Paul D. Robertson" wrote: > > By "sequence" I meant "Do name lookup, then go enumerate shares." > Depending on what the worm is written with, there could be a > "go_check_for_shares()" that does a name lookup then enumerates the > shares- sequence being a series of events, not a method. I just realized why a worm writer might want to contact port 137 first. Not for reasons of "getting it to work", but just because writing a fast scanner is a lot easier for UDP (port 137) than it is for TCP (port 139). TCP scanning means keeping lots of sockets active if you want to do it fast. UDP scanning using sendto()/recvfrom() calls is fast and only requires a single socket. Hence, I'd venture a guess that the port 137 probe is just that: a probe. If it gets a response, it hits port 139, where the really juicy stuff is. $.02 (and just a general guess; I'm not saying that this is what f.i. BugBear does.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 08:32:34 PDT