port 139 syn-fin scans

[Skip Carter <skip () taygeta com>]

Hello,

We have been seeing some persistant scanning activity for the past week.  When 
we first saw
it, we thought it was just an isolated incident, but in the last couple of 
days we have been
seeing more of the same thing.

The scans are on TCP port 139 with SYN-FIN flags set and both the source and 
destination ports
set to 139.  The scans attempt to hide by being slow (our /24 gets hit roughly 
once every 45 minutes)
and by using a randomized target address.

We have only seen a couple of source addresses for the probes, but they all 
have the same signature.
Snort reports:

[**] [111:13:1] (spp_stream4) STEALTH ACTIVITY (SYN FIN scan) detection [**]
04/18-00:59:44.192258 aaa.bbb.ccc.ddd:139 -> eee.fff.ggg.hhh:139
TCP TTL:30 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x1E68EED0 Ack: 0x4B9A8F9A Win: 0x404 TcpLen: 20 



Are any others seeing this ?




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------