RE: port 139 syn-fin scans

["Kevin Hodle" <kevinh () aos5 com>]

We can confirm this.  We have been seeing this activity targeting
various parts of WorldNet's netblock.  Most of the sources are
originating from the 209.x.x.x range.  Closer examination of the sources
reveal that they are all what look like default installations of Linux
(Redhat in particular).  We believe this may be a new worm (or scanning
tool) to look for/exploit the recent samba vulnerabilities.  We think
the point of the syn/fin packets are to determine whether the remote
host has port 139 open, and whether the host is running windows (with
netbios-ssn open), or is a linux machine running samba.  Most stateful
inspection firewalls will drop these SYN/Fin packets, but they are a
clever way to determine the OS of an unfirewalled host.  The fact that
the source port of these packets is 139 is highly suspicious as well.

.. We are in the progress of setting a honeypot in an attempt to
'infect' ourselves, I will keep the list informed of anything else we
discover.  If anyone else has access to machine they think may be
infected with this worm, please let me know.
 
Kevin Hodle
CCNA, Network+, A+
Alexander Open Systems
Network Operations Center
(913)-307-2366
kevinh () aos5 com


-----Original Message-----
From: Skip Carter [mailto:skip () taygeta com] 
Sent: Friday, April 18, 2003 1:52 PM
To: incidents () securityfocus com
Subject: port 139 syn-fin scans



Hello,

We have been seeing some persistant scanning activity for the past week.
When 
we first saw
it, we thought it was just an isolated incident, but in the last couple
of 
days we have been
seeing more of the same thing.

The scans are on TCP port 139 with SYN-FIN flags set and both the source
and 
destination ports
set to 139.  The scans attempt to hide by being slow (our /24 gets hit
roughly 
once every 45 minutes)
and by using a randomized target address.

We have only seen a couple of source addresses for the probes, but they
all 
have the same signature.
Snort reports:

[**] [111:13:1] (spp_stream4) STEALTH ACTIVITY (SYN FIN scan) detection
[**] 04/18-00:59:44.192258 aaa.bbb.ccc.ddd:139 -> eee.fff.ggg.hhh:139
TCP TTL:30 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 ******SF Seq: 0x1E68EED0
Ack: 0x4B9A8F9A Win: 0x404 TcpLen: 20 



Are any others seeing this ?




----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------