nanog mailing list archives
Re: Port 139 scans
From: Jason Slagle <raistlin () tacorp net>
Date: Wed, 27 Sep 2000 14:43:30 -0400 (EDT)
Partially correct. It's a worm.. Windows likes to share drives with no passwords. This worm just logs into those shares, and copies itself into like autoexec.bat. Next boot it infects your system. On a somewhat related note, since we obviously have AOL people living and they now own ICQ. irc.icq.com has been used for weeks for these kiddies to store various ddos clients on. Take a look at #0wned. All compromised machines. There are no live opers to deal with it, and emails to ircsupport () icq com go unanswered. Is there any way we can deal with things like this? Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin () tacorp net - jslagle () toledolink com - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------ On Wed, 27 Sep 2000, Ben Browning wrote:
I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times that many abuse complaints regarding this activity. My current suspicion is that a backdoor trojan (pause here to decline the port 139 attempt that just zipped by me) is on the loose and being propagated like mad. This would certainly fit with the rumour of a huge DDoS attack in the works, as m@d l33t h@x0rs get as many machines as possible compromised and ready to help the attack. I have noticed that the large majority of these scans from my address space (216.39.128.0 - 216.39.192.255) are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far. CERT has an advisory up (http://www.cert.org/vul_notes/VN-2000-03.html) about NetBIOS DoS attacks, but these don't seem to be hosing networks, just kind of feeling around.
Current thread:
- Re: Disabling QAZ (was Re: Port 139 scans), (continued)
- Re: Disabling QAZ (was Re: Port 139 scans) Dan Hollis (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) John Fraizer (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Dana Hudes (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Jason Slagle (Sep 30)
- Re: Disabling QAZ (was Re: Port 139 scans) Travis Pugh (Sep 30)
- Re: Disabling QAZ (was Re: Port 139 scans) Jason Slagle (Sep 30)
- Re: Disabling QAZ (was Re: Port 139 scans) John Fraizer (Sep 29)
- Re: Disabling QAZ (was Re: Port 139 scans) Mike Lewinski (Sep 29)
- Message not available
- Re: Port 139 scans Ben Browning (Sep 27)
- Re: Port 139 scans Jason Slagle (Sep 27)
- Re: Port 139 scans Dan Hollis (Sep 27)
- Re: Port 139 scans Kai Schlichting (Sep 27)
- Re: Port 139 scans Jared Mauch (Sep 27)