(The horse is dead and starting to decompose, but I stubbornly keep
beating it for some reason I have yet to figure out.)
"Paul D. Robertson" wrote:
>
> By "sequence" I meant "Do name lookup, then go enumerate shares."
> Depending on what the worm is written with, there could be a
> "go_check_for_shares()" that does a name lookup then enumerates the
> shares- sequence being a series of events, not a method.
I just realized why a worm writer might want to contact port 137 first.
Not for reasons of "getting it to work", but just because writing a fast
scanner is a lot easier for UDP (port 137) than it is for TCP (port 139).
TCP scanning means keeping lots of sockets active if you want to
do it fast. UDP scanning using sendto()/recvfrom() calls is fast
and only requires a single socket.
Hence, I'd venture a guess that the port 137 probe is just that: a
probe. If it gets a response, it hits port 139, where the really
juicy stuff is.
$.02 (and just a general guess; I'm not saying that this is what
f.i. BugBear does.)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 08:32:34 PDT