Security Incidents mailing list archives
Re: Recent Increase in Port 139 Activity
From: maggie () binarydecisions com
Date: Fri, 07 Sep 2001 19:58:29 -0400
Does look like NetBIOS WinNuke. I caught one on Monday from a houston.rr.com address. MM *********** BEGIN FORWARDED MESSAGE *********** On 9/7/2001, at 4:42 PM, Harlan S. Barney, Jr. <hsbarney () nycap rr com> wrote:
This is likely NetBIOS Port Probe. They started up in mid August. They were a pain last August and September. I see them from the Road Runner network. RR has not yet admitted that there is a problem. Most firewalls will probably keep they out. They are really only a problem to Windows OS machines with sharing open. John Campbell wrote:In the last week, I've started seeing one to several port sweeps per
day on
port 139, of a particular nature. Typically the sweep will hit .1
to .255
of a 24 bit net mask sized address block (generally called, "Class
C"
although this can be erroneous) four times. Have found nothing
written on
any new worms targetting this port. Source machines are largely
North
American. Anyone heard or have ideas about what's going on? My
perimeter
firewall's rejecting this traffic, so I get a log entry but no
packet detail
(yet.) John Campbell, Information Security Engineer Washington School Information Processing Cooperative (WSIPC) E-mail: jcampbell () wsipc org
------------------------------------------------------------------------ ----
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-----------------------------------------------------------------------
-----
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
*********** END FORWARDED MESSAGE *********** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Recent Increase in Port 139 Activity John Campbell (Sep 07)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: code red attacks and real-time blackhole'ng red0x (Sep 08)
- Re: code red attacks and real-time blackhole'ng Sean Hunter (Sep 14)
- Re: Recent Increase in Port 139 Activity maggie (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: Recent Increase in Port 139 Activity H C (Sep 09)
- <Possible follow-ups>
- RE: Recent Increase in Port 139 Activity Frank Knobbe (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 10)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)