Le Sun Oct 13 17:22:53 2002, Mikael Olsson a écrit: Mikael> Mikael> (The horse is dead and starting to decompose, but I stubbornly keep Mikael> beating it for some reason I have yet to figure out.) Mikael> Mikael> "Paul D. Robertson" wrote: Mikael> > Mikael> > By "sequence" I meant "Do name lookup, then go enumerate shares." Mikael> > Depending on what the worm is written with, there could be a Mikael> > "go_check_for_shares()" that does a name lookup then enumerates the Mikael> > shares- sequence being a series of events, not a method. Mikael> Mikael> Hence, I'd venture a guess that the port 137 probe is just that: a Mikael> probe. If it gets a response, it hits port 139, where the really Mikael> juicy stuff is. Which is exactly what it does (you can make the test by leaving open udp 137 but blocking tcp 139 and you will soon log many tcp 139 connection attemps. Vincent. -- .~. Vincent Haverlant -- Galadril -- #ICQ: 35695155 /V\ http://www.haverlant.org/ /( )\ Parinux (http://www.parinux.org/) ^^-^^ MUD -- FranDUMII (http://perso.enst.fr/~frandum/) _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 09:20:38 PDT