nanog mailing list archives
Re: Port 139 scans
From: Ben Browning <benb () oz net>
Date: Wed, 27 Sep 2000 11:35:23 -0700
At 01:14 PM 9/27/00 -0400, Bill Becker wrote: >Speaking of the internet and the way it operates, is anyone >else seeing a large number of random hosts scanning through >their address space using TCP on port 139?I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times that many abuse complaints regarding this activity.
My current suspicion is that a backdoor trojan (pause here to decline the port 139 attempt that just zipped by me) is on the loose and being propagated like mad. This would certainly fit with the rumour of a huge DDoS attack in the works, as m@d l33t h@x0rs get as many machines as possible compromised and ready to help the attack.
I have noticed that the large majority of these scans from my address space (216.39.128.0 - 216.39.192.255) are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far.
CERT has an advisory up (http://www.cert.org/vul_notes/VN-2000-03.html) about NetBIOS DoS attacks, but these don't seem to be hosing networks, just kind of feeling around.
If anyone else has more info, please share it! --- Ben Browning <benb () oz net> oz.net Network Operations Tel (206) 443-8000 Fax (206) 443-0500 http://www.oz.net/
Current thread:
- Disabling QAZ (was Re: Port 139 scans), (continued)
- Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Dan Hollis (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) John Fraizer (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Dana Hudes (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Jason Slagle (Sep 30)
- Re: Disabling QAZ (was Re: Port 139 scans) Travis Pugh (Sep 30)
- Re: Disabling QAZ (was Re: Port 139 scans) Jason Slagle (Sep 30)
- Re: Disabling QAZ (was Re: Port 139 scans) John Fraizer (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
- Message not available
- Re: Port 139 scans Ben Browning (Sep 27)
- Re: Port 139 scans Jason Slagle (Sep 27)
- Re: Port 139 scans Dan Hollis (Sep 27)
- Re: Port 139 scans Kai Schlichting (Sep 27)
- Re: Port 139 scans Jared Mauch (Sep 27)