Re: Recent Increase in Port 139 Activity

[H C <keydet89 () yahoo com>]

John,

> In the last week, I've started seeing one to several
> port sweeps per day on
> port 139, of a particular nature.  

First off, I'm not sure how the traffic you describe
is "particular" in nature...could you elaborate? 
After all, your firewall drops it...right?

Second, I'd be very interested to see what happens if
you can get some packet data.  Generally, the SYN
packet won't have any data of interest...you'd have to
let the handshake complete, and then see what data is
sent to the host.  Perhaps if you opened a hole to a
single machine on port 139, but to a Linux box...with
nothing running on that port except a generic
listener.  That way, the handshake would be completed,
and we'd be able to see what data would be sent once
that's done.

At the very least, we'd be able to see what it is, and
maybe put an end to the speculation about this worm or
that worm... 
 


__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com