Re: Recent Increase in Port 139 Activity

From: maggieat_private
Date: Fri Sep 07 2001 - 16:58:29 PDT

Next message: McCammon, Keith: "RE: WebDAV Propfind? Anyone?"

Previous message: Florian Piekert: "code red attacks and real-time blackhole'ng"
In reply to: Harlan S. Barney, Jr.: "Re: Recent Increase in Port 139 Activity"
Next in thread: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Does look like NetBIOS WinNuke.  I caught one on Monday from a
houston.rr.com address.

MM

*********** BEGIN FORWARDED MESSAGE ***********

On 9/7/2001, at 4:42 PM, Harlan S. Barney, Jr. <hsbarneyat_private>
wrote: 

>This is likely NetBIOS Port Probe.
>
>They started up in mid August.  They were a pain last August and
>September.
>
>I see them from the Road Runner network.  RR has not yet admitted that
>there is a problem.  
>
>Most firewalls will probably keep they out.  They are really only a
>problem to Windows OS machines with sharing open.
>
>John Campbell wrote:
>> 
>> In the last week, I've started seeing one to several port sweeps per
day on
>> port 139, of a particular nature.  Typically the sweep will hit .1
to .255
>> of a 24 bit net mask sized address block (generally called, "Class
C"
>> although this can be erroneous) four times.  Have found nothing
written on
>> any new worms targetting this port.  Source machines are largely
North
>> American.  Anyone heard or have ideas about what's going on?  My
perimeter
>> firewall's rejecting this traffic, so I get a log entry but no
packet detail
>> (yet.)
>> 
>> John Campbell, Information Security Engineer
>> Washington School Information Processing Cooperative
>>  (WSIPC)
>> E-mail: jcampbellat_private
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
------------------------------------------------------------------------
----
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management
>> and tracking system please see: http://aris.securityfocus.com
>
>-----------------------------------------------------------------------
-----
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>

*********** END FORWARDED MESSAGE ***********


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: McCammon, Keith: "RE: WebDAV Propfind? Anyone?"
Previous message: Florian Piekert: "code red attacks and real-time blackhole'ng"
In reply to: Harlan S. Barney, Jr.: "Re: Recent Increase in Port 139 Activity"
Next in thread: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 17:02:11 PDT