The only filter my local @Home provider has in place is UDP Port 31337 (Back Orifice etc). Now granted I can't see my neighbour's system (my local area node connection), but that's about the extent of filtering here. I suspect this is why we have seen a strong and very persistent SirCam whereas other people have not. Blake ----- Original Message ----- From: "Jason Spence" <thalakanat_private> To: <incidentsat_private> Sent: Monday, August 20, 2001 7:07 PM Subject: Re: Do you know any Day 0 hacks use port 139? (fwd) > On Mon, Aug 13, 2001 at 03:01:33PM -0600, Blake McNeill developed > a new theory of relativity and: > > My first guess would be that your seeing the effects of SirCam. In addition > > to being spread by email SirCam once installed looks for open file shares on > > other machine on the network to infect. It does this by check port 139. If > > you like, I have been keeping statistics concerning Red Code and SirCam on > > my local @Home providers and have posted the resulting graphs on > > http://members.home.net/mcneillb/. SirCam first showed up on our local ISP > > on July 19th or 20th and has been very persistent since then with anywhere > > from 15 - 45 probes a day to my system. > > That's weird, because @Home has filters set up for TCP 137-139 and 445 > on my subnet that just drop the packets on the floor: > > Port State Service > 21/tcp open ftp > 25/tcp filtered smtp > 42/tcp open nameserver > 80/tcp open http > 135/tcp open loc-srv > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 443/tcp open https > 445/tcp filtered microsoft-ds > 1080/tcp filtered socks > 5631/tcp open pcanywheredata > > Outgoing is blocked too. > > - Jason > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 20:02:21 PDT