Re: Question on particular port scan of port 139/TCP

["J. C. Woods" <drjung () sprynet com>]

Sean O'Neill wrote:
> Gotta a question.
>
> There are two systems that scan me every morning on port 139/TCP.  I've
> called the owners.  They are a small trucking company with no IT
> department.  They are network/Internet newbies and have no knowledge of why
> their machines are doing this.  They power down their servers at COB.  It
> appears every work day when the power their servers up these machines scan
> me.  Then in the afternoon I might get scanned again.  What is weird is
> their servers are specifically scanning each of my 5 IPs.  I've never heard
> of the NETBIOS Session Service doing this before.  I don't get scanned all
> day.  Just once or twice a day - that's it.
>
> So could this be:
>
> 1) Related to a netmask issue.  They are using the same ISP I am with the
> same 8 (with 5 usage) static IP package from SWB.  So their netmask should
> be /29.  I can't imagine this could be it because they would have several
> other problems if their netmask wasn't correct.
>
> 2) Is there an NT compromise that fits this sort of activity their machines
> may be unfortunate enough to be hosting ?
>
> Any thoughts appreciated.

Hmmm, a lot depends on the particular OS's involved here, your and
theirs. And is one of you running Windows Server with the WINS server
enabled. It could be an attempt by a WINS Server, depending on who is
running this service, to query what it believes to be a NETBIOS client.
Some more info about the particulars is needed to fully understand what
is going on...

drjung

-- 
J. Craig Woods
UNIX SA

-Art is the illusion of spontaneity-

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users