-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: John Campbell [mailto:jcampbellat_private] > Sent: Friday, September 07, 2001 2:53 PM > > In the last week, I've started seeing one to several port > sweeps per day on > port 139, of a particular nature. Typically the sweep will > hit .1 to .255 > of a 24 bit net mask sized address block (generally called, "Class > C" although this can be erroneous) four times. I have seen an increase since last week as well. However, the scans against my machines start at the top of the range and work their way down. > Have found > nothing written on > any new worms targetting this port. Source machines are largely > North American. In my case the source was always within close second octet proximity. MY site is at 65.106, and I have received scans from 65.103-65.108.... maybe a new worm of sorts? (Resurging Hybris or Explorer variant?) Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: Free Dmitry Sklyarov ! iQA/AwUBO5lIsZytSsEygtEFEQIIDQCg2+3I7T4NPmLGzTlIpi9XvskOtscAnjVc QzT8oa6IRkxLRTMaxk8hKBqJ =+Yhw -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 15:25:34 PDT