Snort mailing list archives
Re: Question on particular port scan of port 139/TCP
From: "J. C. Woods" <drjung () sprynet com>
Date: Fri, 24 Aug 2001 16:39:02 +0000
Sean O'Neill wrote:
Gotta a question. There are two systems that scan me every morning on port 139/TCP. I've called the owners. They are a small trucking company with no IT department. They are network/Internet newbies and have no knowledge of why their machines are doing this. They power down their servers at COB. It appears every work day when the power their servers up these machines scan me. Then in the afternoon I might get scanned again. What is weird is their servers are specifically scanning each of my 5 IPs. I've never heard of the NETBIOS Session Service doing this before. I don't get scanned all day. Just once or twice a day - that's it. So could this be: 1) Related to a netmask issue. They are using the same ISP I am with the same 8 (with 5 usage) static IP package from SWB. So their netmask should be /29. I can't imagine this could be it because they would have several other problems if their netmask wasn't correct. 2) Is there an NT compromise that fits this sort of activity their machines may be unfortunate enough to be hosting ? Any thoughts appreciated.
Hmmm, a lot depends on the particular OS's involved here, your and theirs. And is one of you running Windows Server with the WINS server enabled. It could be an attempt by a WINS Server, depending on who is running this service, to query what it believes to be a NETBIOS client. Some more info about the particulars is needed to fully understand what is going on... drjung -- J. Craig Woods UNIX SA -Art is the illusion of spontaneity- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on particular port scan of port 139/TCP Sean O'Neill (Aug 24)
- Re: Question on particular port scan of port 139/TCP J. C. Woods (Aug 24)
- Re: Question on particular port scan of port 139/TCP Sean O'Neill (Aug 24)
- Re: Question on particular port scan of port 139/TCP J. C. Woods (Aug 24)