Security Incidents mailing list archives
Re: Do you know any Day 0 hacks use port 139? (fwd)
From: Jason Spence <thalakan () technologist com>
Date: Mon, 20 Aug 2001 18:07:16 -0700
On Mon, Aug 13, 2001 at 03:01:33PM -0600, Blake McNeill developed a new theory of relativity and:
My first guess would be that your seeing the effects of SirCam. In addition to being spread by email SirCam once installed looks for open file shares on other machine on the network to infect. It does this by check port 139. If you like, I have been keeping statistics concerning Red Code and SirCam on my local @Home providers and have posted the resulting graphs on http://members.home.net/mcneillb/. SirCam first showed up on our local ISP on July 19th or 20th and has been very persistent since then with anywhere from 15 - 45 probes a day to my system.
That's weird, because @Home has filters set up for TCP 137-139 and 445 on my subnet that just drop the packets on the floor: Port State Service 21/tcp open ftp 25/tcp filtered smtp 42/tcp open nameserver 80/tcp open http 135/tcp open loc-srv 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 1080/tcp filtered socks 5631/tcp open pcanywheredata Outgoing is blocked too. - Jason ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Do you know any Day 0 hacks use port 139? (fwd) Derek Kwan (Aug 13)
- Re: Do you know any Day 0 hacks use port 139? (fwd) Blake McNeill (Aug 13)
- Re: Do you know any Day 0 hacks use port 139? (fwd) Jason Spence (Aug 20)
- Re: Do you know any Day 0 hacks use port 139? (fwd) Blake McNeill (Aug 20)
- Re: Do you know any Day 0 hacks use port 139? (fwd) Jason Spence (Aug 20)
- Re: Do you know any Day 0 hacks use port 139? (fwd) Blake McNeill (Aug 13)