Re: new scanner tool or blind luck?

[Thomas Molina <tmolina () HOME COM>]

On Wed, 13 Sep 2000, Ken Armstrong wrote:

> Hi,
>
> I have seen exactly the same on a residential ADSL link.  This activity
> has started in early september and is still continuing.  There has been
> some recent discussion on some of the lists concerning a Trojan that was
> discovered in August.  This Trojan infects notepad.exe and then
> sequentially tries to use netbios to connect to other systems in the local
> network.  I am wondering if this is what we are seeing?
>
> Ken
>
> On Wed, 13 Sep 2000, T. Esting wrote:
>
> >   Lately, we've been tracking some unusual NetBIOS scans that have caught
> > our attention and are interesting enough that we thought we'd share with the
> > group.  Around the last week of August, we started seeing scans exhibiting
> > the following signature behavior:
> >
> > Sep 09 09:38:09 [ids-host]   SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP
> > our.sub.net.1 DSTPRT 139 PROT TCP

Same here.  Beginning on 4 Sep my logs started filling with a seemingly
endless stream of scans to tcp port 139.  As usual, response from my ISP
(@home) is spotty.  My local provider is fairly aggressive in responding
to my inputs, but response from other parts of the country varies
widely.  In particular, customers in the sttln1.wa.home.com subnet have
been especially annoying and response from the provider for that subnet
has been particularly sparse.