Re: Do you know any Day 0 hacks use port 139? (fwd)

From: Blake McNeill (mcneillbat_private)
Date: Mon Aug 20 2001 - 19:08:37 PDT

Next message: Jeffery L. Stutzman: "Infosec professionals in New England?"

Previous message: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
In reply to: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The only filter my local @Home provider has in place is UDP Port 31337 (Back
Orifice etc).  Now granted I can't see my neighbour's system (my local area
node connection), but that's about the extent of filtering here.  I suspect
this is why we have seen a strong and very persistent SirCam whereas other
people have not.

Blake


----- Original Message -----
From: "Jason Spence" <thalakanat_private>
To: <incidentsat_private>
Sent: Monday, August 20, 2001 7:07 PM
Subject: Re: Do you know any Day 0 hacks use port 139? (fwd)


> On Mon, Aug 13, 2001 at 03:01:33PM -0600, Blake McNeill developed
> a new theory of relativity and:
> > My first guess would be that your seeing the effects of SirCam.  In
addition
> > to being spread by email SirCam once installed looks for open file
shares on
> > other machine on the network to infect.  It does this by check port 139.
If
> > you like, I have been keeping statistics concerning Red Code and SirCam
on
> > my local @Home providers and have posted the resulting graphs on
> > http://members.home.net/mcneillb/.  SirCam first showed up on our local
ISP
> > on July 19th or 20th and has been very persistent since then with
anywhere
> > from 15 - 45 probes a day to my system.
>
> That's weird, because @Home has filters set up for TCP 137-139 and 445
> on my subnet that just drop the packets on the floor:
>
> Port       State       Service
> 21/tcp     open        ftp
> 25/tcp     filtered    smtp
> 42/tcp     open        nameserver
> 80/tcp     open        http
> 135/tcp    open        loc-srv
> 137/tcp    filtered    netbios-ns
> 138/tcp    filtered    netbios-dgm
> 139/tcp    filtered    netbios-ssn
> 443/tcp    open        https
> 445/tcp    filtered    microsoft-ds
> 1080/tcp   filtered    socks
> 5631/tcp   open        pcanywheredata
>
> Outgoing is blocked too.
>
>  - Jason
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeffery L. Stutzman: "Infosec professionals in New England?"
Previous message: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
In reply to: Jason Spence: "Re: Do you know any Day 0 hacks use port 139? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 20:02:21 PDT