Security Incidents mailing list archives
update: port 139 traffic
From: "Kevin Holmquist" <kevinh () netronin org>
Date: Sat, 8 Sep 2001 12:44:58 -0600
I too have seen port 139 attempts. Here is the packet data: CID:2339 [**] LOCAL/NETBIOS TCP attempt [**] 2001-09-07 13:03:31 64.167.140.172:3897 -> 64.x.x.x:139 TCP TTL:116 TOS:0x0 ID:65402 IPLen: DgmLen:48 HLen:5 CSumIP:0x588F ******S* Seq:0xAD5B1A5 Ack:0x0 Win:0x2000 CSumTCP:0xE814 TCP Options (4) => MSS:05C2 NO-OP NO-OP SACKOK All of the attempts have come from ip's starting with 64.x.x.x. Most interestingly, all (277 attempts from 35 hosts since 9/3)except one have come from pacbell DSL subscribers. Any ideas? Kevin Holmquist ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- update: port 139 traffic Kevin Holmquist (Sep 08)