Do you know any Day 0 hacks use port 139? (fwd)

[Derek Kwan <dkwan () KWAN ca>]

Since my last message, number of port 139 scan continue to increse from
all over the places (but mostly from @Home .24 network)

As of 3:30EST, there are already 89 scans (from 19 scans @ 02:30).

This is very unusal, since there are only a few scan on 139 before and all
of the sudden there is a big jump.

Is anyone seeing the same thing on their network?

 \|/ _____ \|/    ***************************************************
 "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
 /_| \___/ |__\   ***************************************************
    \___U_/       Derek () KWAN ca


---------- Forwarded message ----------
Date: Mon, 13 Aug 2001 02:40:25 -0400 (EDT)
From: Derek Kwan <dkwan () KWAN ca>
To: Incidents () Securityfocus com
Subject: Do you know any Day 0 hacks use port 139?


Hello World,

 In the past few days I have seen increase port 139 scans in the FW log.
Does anyone aware if there is a new hack or just the plain old poking
around "windows file sharing" service?

Before Aug 7: almost 0 port 139 scan detected (well, sometimes maybe 1 or
2 a day)
Aug 7: 7
Aug 8: 7
Aug 9: 4
Aug 10: 60
Aug 11: 87
Aug 12: 86
Aug 13 (from 00:00 - 02:30): 19

 \|/ _____ \|/    ***************************************************
 "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
 /_| \___/ |__\   ***************************************************
    \___U_/       Derek () KWAN ca




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com