Re: Do you know any Day 0 hacks use port 139? (fwd)

From: Blake McNeill (mcneillbat_private)
Date: Mon Aug 13 2001 - 14:01:33 PDT

Next message: Russell Fulton: "Re: MSIIS servers patched/de-doored, but C and D keep coming back"

Previous message: Lindley, Patrick@HHSDC: "Appeal for Help. NOT Code Red But Is It?"
In reply to: Derek Kwan: "Do you know any Day 0 hacks use port 139? (fwd)"
Next in thread: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Reply: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My first guess would be that your seeing the effects of SirCam.  In addition
to being spread by email SirCam once installed looks for open file shares on
other machine on the network to infect.  It does this by check port 139.  If
you like, I have been keeping statistics concerning Red Code and SirCam on
my local @Home providers and have posted the resulting graphs on
http://members.home.net/mcneillb/.  SirCam first showed up on our local ISP
on July 19th or 20th and has been very persistent since then with anywhere
from 15 - 45 probes a day to my system.

Blake


----- Original Message -----
From: "Derek Kwan" <dkwanat_private>
To: <incidentsat_private>
Sent: Monday, August 13, 2001 1:27 PM
Subject: Do you know any Day 0 hacks use port 139? (fwd)


>
> Since my last message, number of port 139 scan continue to increse from
> all over the places (but mostly from @Home .24 network)
>
> As of 3:30EST, there are already 89 scans (from 19 scans @ 02:30).
>
> This is very unusal, since there are only a few scan on 139 before and all
> of the sudden there is a big jump.
>
> Is anyone seeing the same thing on their network?
>
>  \|/ _____ \|/    ***************************************************
>  "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
>  /_| \___/ |__\   ***************************************************
>     \___U_/       Derekat_private
>
>
> ---------- Forwarded message ----------
> Date: Mon, 13 Aug 2001 02:40:25 -0400 (EDT)
> From: Derek Kwan <dkwanat_private>
> To: Incidentsat_private
> Subject: Do you know any Day 0 hacks use port 139?
>
>
> Hello World,
>
>  In the past few days I have seen increase port 139 scans in the FW log.
> Does anyone aware if there is a new hack or just the plain old poking
> around "windows file sharing" service?
>
> Before Aug 7: almost 0 port 139 scan detected (well, sometimes maybe 1 or
> 2 a day)
> Aug 7: 7
> Aug 8: 7
> Aug 9: 4
> Aug 10: 60
> Aug 11: 87
> Aug 12: 86
> Aug 13 (from 00:00 - 02:30): 19
>
>  \|/ _____ \|/    ***************************************************
>  "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
>  /_| \___/ |__\   ***************************************************
>     \___U_/       Derekat_private
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "Re: MSIIS servers patched/de-doored, but C and D keep coming back"
Previous message: Lindley, Patrick@HHSDC: "Appeal for Help. NOT Code Red But Is It?"
In reply to: Derek Kwan: "Do you know any Day 0 hacks use port 139? (fwd)"
Next in thread: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Reply: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:12:28 PDT