RE: TCP port 139 probes

From: Dan Irwin (danat_private)
Date: Tue Jul 09 2002 - 16:20:34 PDT

Next message: H C: "Re: Possible System Compromise"

Previous message: H C: "Re: TCP port 139 probes"
Maybe in reply to: Pavel Kankovsky: "TCP port 139 probes"
Next in thread: Pavel Kankovsky: "RE: TCP port 139 probes"
Reply: Pavel Kankovsky: "RE: TCP port 139 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I noticed an increase in smb scanning last week, with a lot of machines
on asian or US cable/dsl networks probing networks here.

At least one of these machines appeared to be insecure and i could
enumerate shares etc with smbclient -L.

According to my logs, before July 1 2002, we had 4 netbios probes (This
machine was only installed in mid June).

On July 1 we recieved around 70 probes, and approx. 68 on July 4. 75
probes sofar today. Other days vary a lot.

Infected machines appear to be scanning large ip address ranges. These
machines are scanning every address on our /28 net. (Logs below)

Perhaps a new worm targetting insecure windows machines?

Dan.

<snip>
Jul 10 09:12:37 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.119 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=38950 DF PROTO=TCP SPT=21595 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:37 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
SRC=67.225.115.84 DST=x.x.x.127 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=39206 DF PROTO=TCP SPT=21569 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:39 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.120 LEN=48 TOS=0x00 PREC=0x00 TTL=104
ID=39974 DF PROTO=TCP SPT=21317 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:40 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.121 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=40998 DF PROTO=TCP SPT=21539 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:42 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.122 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=42022 DF PROTO=TCP SPT=21554 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:43 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.123 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=43046 DF PROTO=TCP SPT=21561 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:45 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.124 LEN=48 TOS=0x00 PREC=0x00 TTL=105
ID=44070 DF PROTO=TCP SPT=21596 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:46 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.125 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=45094 DF PROTO=TCP SPT=21599 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:48 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
SRC=67.225.115.84 DST=x.x.x.126 LEN=48 TOS=0x00 PREC=0x00 TTL=107
ID=46118 DF PROTO=TCP SPT=21488 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:49 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
SRC=67.225.115.84 DST=x.x.x.127 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=47142 DF PROTO=TCP SPT=21569 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
<snip>

--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danat_private
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infoat_private
Web: http://www.jackies.com.au


-----Original Message-----
From: Pavel Kankovsky [mailto:peakat_private]
Sent: Wednesday, 10 July 2002 6:22 AM
To: incidentsat_private
Subject: TCP port 139 probes


I have detected a noticeable increase of (blocked) attempts to connect
to the TCP port 139 on machines in our network. Look at these numbers
(number of blocked packets per a day):

      1	Jun 10
      5	Jun 11
     13	Jun 12
     15	Jun 13
      3	Jun 15
      3	Jun 16
      4	Jun 17
     13	Jun 18
     18	Jun 19
     16	Jun 20
     15	Jun 21
      4	Jun 22
      2	Jun 23
     23	Jun 24
     18	Jun 25
     44	Jun 26
     95	Jun 27
    112	Jun 28
     84	Jun 29
     53	Jun 30
    130	Jul  1
    191	Jul  2
    227	Jul  3
    235	Jul  4
    226	Jul  5
    185	Jul  6
    167	Jul  7
    350	Jul  8
    199	Jul  9

These probes are not (ordinary) scans but isolated attempts by seemingly
random remote IP addresses to open connection to seemingly random local
IP
addresses. In many cases, the destination is an unused address.

This is very suspicious.

--Pavel Kankovsky aka Peak  [ Boycott
Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for
assimilation."


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: Possible System Compromise"
Previous message: H C: "Re: TCP port 139 probes"
Maybe in reply to: Pavel Kankovsky: "TCP port 139 probes"
Next in thread: Pavel Kankovsky: "RE: TCP port 139 probes"
Reply: Pavel Kankovsky: "RE: TCP port 139 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 18:20:21 PDT