Does look like NetBIOS WinNuke. I caught one on Monday from a houston.rr.com address. MM *********** BEGIN FORWARDED MESSAGE *********** On 9/7/2001, at 4:42 PM, Harlan S. Barney, Jr. <hsbarneyat_private> wrote: >This is likely NetBIOS Port Probe. > >They started up in mid August. They were a pain last August and >September. > >I see them from the Road Runner network. RR has not yet admitted that >there is a problem. > >Most firewalls will probably keep they out. They are really only a >problem to Windows OS machines with sharing open. > >John Campbell wrote: >> >> In the last week, I've started seeing one to several port sweeps per day on >> port 139, of a particular nature. Typically the sweep will hit .1 to .255 >> of a 24 bit net mask sized address block (generally called, "Class C" >> although this can be erroneous) four times. Have found nothing written on >> any new worms targetting this port. Source machines are largely North >> American. Anyone heard or have ideas about what's going on? My perimeter >> firewall's rejecting this traffic, so I get a log entry but no packet detail >> (yet.) >> >> John Campbell, Information Security Engineer >> Washington School Information Processing Cooperative >> (WSIPC) >> E-mail: jcampbellat_private >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ ---- >> This list is provided by the SecurityFocus ARIS analyzer service. >> For more information on this free incident handling, management >> and tracking system please see: http://aris.securityfocus.com > >----------------------------------------------------------------------- ----- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > *********** END FORWARDED MESSAGE *********** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 17:02:11 PDT