nanog mailing list archives

Re: Port 139 scans

From: "Henry R. Linneweh" <linneweh () concentric net>
Date: Thu, 28 Sep 2000 07:40:04 -0700


I am particularly concerned over this issue of these broadcasts
originating from Concentric.net, since I too a Concentric.net
user have been getting an increase of port 139 scans, then A
dialup port saturation and disconnect, even though CFW stops
the packet at the port.

Lets direct all traffic concerning this issue to Jim Tobias at concentric.net
jtobia () concentric net for a concerted effort to resolve the issue if it
Originates from a Concentric.net or Concentric.com network node.

2000/09/27 6:47:28 AM GMT -0700: Dial-Up Adapter [0000][Ref# 5] Blocking incoming TCP: src=206.173.248.146, 
dst=206.173.232.156, sport=2596, dport=139.

2000/09/27 9:33:26 PM GMT -0700: Dial-Up Adapter [0000][Ref# 5] Blocking incoming TCP: src=206.173.232.118, 
dst=206.173.232.204, sport=1638, dport=139.

Dana Hudes wrote:

Yes but in the past few days activity has stepped up tremendously. Where my webserver, which uses Samba to 
communicate with my local desktop win98 machine (the latter is client, no shares exported) used to get once in a 
couple months an attempt on port 139 now I have 45 / day.
Furthermore, they're overwhelmingly from customers of my upstream -- Concentric. A handful from @home and others. I 
reported this to Concentric with the log.smb file in the message. No response 3 days later.

----- Original Message -----
From: "Randy Bush" <randy () psg com>
To: "John Fraizer" <nanog () EnterZone Net>
Cc: <nanog () merit edu>
Sent: Thursday, September 28, 2000 1:40 AM
Subject: Re: Port 139 scans

Speaking of the internet and the way it operates, is anyone else seeing a
large number of random hosts scanning through their address space using TCP
on port 139?

We have been seeing this for about 3 weeks now.


s/weeks/years/

randy


--

Thank you;
|--------------------------------|
| Thinking is a learned process. |
| ICANN member @large            |
| Gigabit over IP, ieee 802.17   |
|--------------------------------|
Henry R. Linneweh

Current thread:

Inventor of the Internet Technology / Father of Modern Day Networking Ehud Gavron (Sep 27)
- Re: Inventor of the Internet Technology / Father of Modern Day Networking Valdis . Kletnieks (Sep 27)
  - Re: Inventor of the Internet Technology / Father of Modern Day Networking Majdi S. Abbas (Sep 27)
- Re: Inventor of the Internet Technology / Father of Modern Day Networking Bill Becker (Sep 27)
  - Port 139 scans John Fraizer (Sep 27)
    - Re: Port 139 scans Randy Bush (Sep 27)
    - Re: Port 139 scans Dana Hudes (Sep 28)
    - Re: Port 139 scans Henry R. Linneweh (Sep 28)
    - Re: Port 139 scans Etaoin Shrdlu (Sep 28)
    - Re: Port 139 scans John Fraizer (Sep 29)
    - Re: Port 139 scans Charles Scott (Sep 29)
    - Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
    - Re: Disabling QAZ (was Re: Port 139 scans) Dan Hollis (Sep 29)
    - Re: Disabling QAZ (was Re: Port 139 scans) John Fraizer (Sep 29)
    - Re: Disabling QAZ (was Re: Port 139 scans) Dana Hudes (Sep 29)
    - Re: Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
    - Re: Disabling QAZ (was Re: Port 139 scans) Jason Slagle (Sep 30)
    - Re: Disabling QAZ (was Re: Port 139 scans) Travis Pugh (Sep 30)

(Thread continues...)