Hi, > The scans are on TCP port 139 with SYN-FIN flags set and both the source > and destination ports > set to 139. The scans attempt to hide by being slow (our /24 gets hit > roughly once every 45 minutes) > and by using a randomized target address. Yep, we too have been witnessing this for the past couple of weeks. None of the target systems are running Microsoft Windows and have never had any sort of NetBIOS listener (Samba or otherwise) running. Yet the same source is repeatedly scanning (209.137.237.178) and even though it's a very slow scan of the /24, it's also hitting the same destination more than once per day. Seems that about 8 or 9 hosts per hour are scanned, at a rate of one destination per 5 to 8 minutes (give or take). Here's a sample packet: 1713.318924 209.137.237.178 -> xx.yy.zz.aa TCP 139 > 139 [FIN, SYN] Seq=1878631406 Ack=1218260040 Win=1028 Len=0 0 0090 27e0 3c71 0090 6937 7c3e 0800 4500 ..'.<q..i7|>..E. 10 0028 9a02 0000 1f06 ee62 d189 edb2 c26d .(.......b.....m 20 91c1 008b 008b 6ff9 a3ee 489d 2c48 5003 ......o...H.,HP. 30 0404 0e8f 0000 0e00 0000 0000 ............ > > We have only seen a couple of source addresses for the probes, but they > all have the same signature. Same here. I'm definitely curious to know what others have made of this; what tool it may be, etc. Scott ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 10:29:11 PDT