Re: new scanner tool or blind luck?

[Randy Mclean <rmclean () NATDOOR COM>]

network.vbs will normally have a netbios port for both the source and
destination ports.  If I remember correctly the code in the vbs file calls
the netbios functions with UNC's, thus limiting its source port to
netbios(example of UNC \\55.55.55.55\c$). This looks like a scan using a
scanner or a different trojan that doesn't use the windows netbios
functions to find windows shares. My 2 cents

At 12:02 AM 9/14/2000 -0400, you wrote:
> network.vbs
> go to http://www.sophos.com
>
> On 13 Sep 00, at 9:22, T. Esting wrote:
>
> >   Lately, we've been tracking some unusual NetBIOS scans that have
> >   caught
> > our attention and are interesting enough that we thought we'd share
> > with the group.  Around the last week of August, we started seeing
> > scans exhibiting the following signature behavior:
> >
> > Sep 09 09:38:09 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2889
> > DSTIP our.sub.net.1 DSTPRT 139 PROT TCP Sep 09 09:38:09 [ids-host]
> > SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP our.sub.net.1 DSTPRT 139
> > PROT TCP Sep 09 09:38:14 [ids-host]   SRCIP other.subnet.61.30 SRCPRT
> > 2890 DSTIP
>
>
> George Bakos - Security Engineer
> Electronic Warfare Associates
> Information & Infrastructure Technologies
> 802-338-3213
>
>  To request PGP public key,
>  mailto:alpinista () bigfoot com?subject=sendpubkey
>  or http://pgpkeys.mit.edu:11371/

--
Randy Mclean
Security/Network Administrator
rmclean () natdoor com