Poking a hole and setting up a port listener is not a bad idea - it would give us more packet detail then a listener outside the firewall, passively monitoring what went by on the wire. Will keep the list posted (it may be a few days before it gets done 8^( ) John -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Sunday, September 09, 2001 1:07 PM To: John Campbell; 'incidentsat_private' Subject: Re: Recent Increase in Port 139 Activity John, > In the last week, I've started seeing one to several > port sweeps per day on > port 139, of a particular nature. First off, I'm not sure how the traffic you describe is "particular" in nature...could you elaborate? After all, your firewall drops it...right? Second, I'd be very interested to see what happens if you can get some packet data. Generally, the SYN packet won't have any data of interest...you'd have to let the handshake complete, and then see what data is sent to the host. Perhaps if you opened a hole to a single machine on port 139, but to a Linux box...with nothing running on that port except a generic listener. That way, the handshake would be completed, and we'd be able to see what data would be sent once that's done. At the very least, we'd be able to see what it is, and maybe put an end to the speculation about this worm or that worm... __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 09:33:54 PDT