On Mon, Aug 13, 2001 at 03:01:33PM -0600, Blake McNeill developed a new theory of relativity and: > My first guess would be that your seeing the effects of SirCam. In addition > to being spread by email SirCam once installed looks for open file shares on > other machine on the network to infect. It does this by check port 139. If > you like, I have been keeping statistics concerning Red Code and SirCam on > my local @Home providers and have posted the resulting graphs on > http://members.home.net/mcneillb/. SirCam first showed up on our local ISP > on July 19th or 20th and has been very persistent since then with anywhere > from 15 - 45 probes a day to my system. That's weird, because @Home has filters set up for TCP 137-139 and 445 on my subnet that just drop the packets on the floor: Port State Service 21/tcp open ftp 25/tcp filtered smtp 42/tcp open nameserver 80/tcp open http 135/tcp open loc-srv 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 1080/tcp filtered socks 5631/tcp open pcanywheredata Outgoing is blocked too. - Jason ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 18:54:40 PDT