Security Incidents mailing list archives
Re: Recent Increase in Port 139 Activity
From: H C <keydet89 () yahoo com>
Date: Sun, 9 Sep 2001 13:07:07 -0700 (PDT)
John,
In the last week, I've started seeing one to several port sweeps per day on port 139, of a particular nature.
First off, I'm not sure how the traffic you describe is "particular" in nature...could you elaborate? After all, your firewall drops it...right? Second, I'd be very interested to see what happens if you can get some packet data. Generally, the SYN packet won't have any data of interest...you'd have to let the handshake complete, and then see what data is sent to the host. Perhaps if you opened a hole to a single machine on port 139, but to a Linux box...with nothing running on that port except a generic listener. That way, the handshake would be completed, and we'd be able to see what data would be sent once that's done. At the very least, we'd be able to see what it is, and maybe put an end to the speculation about this worm or that worm... __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Recent Increase in Port 139 Activity John Campbell (Sep 07)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: code red attacks and real-time blackhole'ng red0x (Sep 08)
- Re: code red attacks and real-time blackhole'ng Sean Hunter (Sep 14)
- Re: Recent Increase in Port 139 Activity maggie (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: Recent Increase in Port 139 Activity H C (Sep 09)
- <Possible follow-ups>
- RE: Recent Increase in Port 139 Activity Frank Knobbe (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 10)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)