Security Incidents mailing list archives

Re: Do you know any Day 0 hacks use port 139? (fwd)

From: "Blake McNeill" <mcneillb () home com>
Date: Mon, 20 Aug 2001 20:08:37 -0600

The only filter my local @Home provider has in place is UDP Port 31337 (Back
Orifice etc).  Now granted I can't see my neighbour's system (my local area
node connection), but that's about the extent of filtering here.  I suspect
this is why we have seen a strong and very persistent SirCam whereas other
people have not.

Blake


----- Original Message -----
From: "Jason Spence" <thalakan () technologist com>
To: <incidents () securityfocus com>
Sent: Monday, August 20, 2001 7:07 PM
Subject: Re: Do you know any Day 0 hacks use port 139? (fwd)

On Mon, Aug 13, 2001 at 03:01:33PM -0600, Blake McNeill developed
a new theory of relativity and:

My first guess would be that your seeing the effects of SirCam.  In

addition

to being spread by email SirCam once installed looks for open file

shares on

other machine on the network to infect.  It does this by check port 139.

If

you like, I have been keeping statistics concerning Red Code and SirCam

on

my local @Home providers and have posted the resulting graphs on
http://members.home.net/mcneillb/.  SirCam first showed up on our local

ISP

on July 19th or 20th and has been very persistent since then with

anywhere

from 15 - 45 probes a day to my system.


That's weird, because @Home has filters set up for TCP 137-139 and 445
on my subnet that just drop the packets on the floor:

Port       State       Service
21/tcp     open        ftp
25/tcp     filtered    smtp
42/tcp     open        nameserver
80/tcp     open        http
135/tcp    open        loc-srv
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
443/tcp    open        https
445/tcp    filtered    microsoft-ds
1080/tcp   filtered    socks
5631/tcp   open        pcanywheredata

Outgoing is blocked too.

 - Jason

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Do you know any Day 0 hacks use port 139? (fwd) Derek Kwan (Aug 13)
- Re: Do you know any Day 0 hacks use port 139? (fwd) Blake McNeill (Aug 13)
  - Re: Do you know any Day 0 hacks use port 139? (fwd) Jason Spence (Aug 20)
    - Re: Do you know any Day 0 hacks use port 139? (fwd) Blake McNeill (Aug 20)