Re: port 139 syn-fin scans

["Scott A. McIntyre" <scott () xs4all net>]

Hi,

> The scans are on TCP port 139 with SYN-FIN flags set and both the source
> and  destination ports
> set to 139.  The scans attempt to hide by being slow (our /24 gets hit
> roughly  once every 45 minutes)
> and by using a randomized target address.

Yep, we too have been witnessing this for the past couple of weeks.  None 
of the target systems are running Microsoft Windows and have never had any 
sort of NetBIOS listener (Samba or otherwise) running.

Yet the same source is repeatedly scanning (209.137.237.178) and even 
though it's a very slow scan of the /24, it's also hitting the same 
destination more than once per day.  Seems that about 8 or 9 hosts per hour 
are scanned, at a rate of one destination per 5 to 8 minutes (give or take).

Here's a sample packet:

1713.318924 209.137.237.178 -> xx.yy.zz.aa TCP 139 > 139 [FIN, SYN] 
Seq=1878631406 Ack=1218260040 Win=1028 Len=0

  0  0090 27e0 3c71 0090 6937 7c3e 0800 4500   ..'.<q..i7|>..E.
 10  0028 9a02 0000 1f06 ee62 d189 edb2 c26d   .(.......b.....m
 20  91c1 008b 008b 6ff9 a3ee 489d 2c48 5003   ......o...H.,HP.
 30  0404 0e8f 0000 0e00 0000 0000             ............




> We have only seen a couple of source addresses for the probes, but they
> all  have the same signature.

Same here.


I'm definitely curious to know what others have made of this; what tool it 
may be, etc.

Scott


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------