update: port 139 traffic

["Kevin Holmquist" <kevinh () netronin org>]

I too have seen port 139 attempts.  Here is the packet data:

CID:2339 [**] LOCAL/NETBIOS TCP attempt [**]
2001-09-07 13:03:31 64.167.140.172:3897 -> 64.x.x.x:139
TCP TTL:116 TOS:0x0 ID:65402 IPLen: DgmLen:48 HLen:5 CSumIP:0x588F
******S* Seq:0xAD5B1A5 Ack:0x0 Win:0x2000 CSumTCP:0xE814
TCP Options (4) => MSS:05C2 NO-OP NO-OP SACKOK

All of the attempts have come from ip's starting with 64.x.x.x.  Most
interestingly,  all (277 attempts from 35 hosts since 9/3)except one have
come from pacbell DSL subscribers.

Any ideas?

Kevin Holmquist



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com