Re: Do you know any Day 0 hacks use port 139? (fwd)

[Jason Spence <thalakan () technologist com>]

On Mon, Aug 13, 2001 at 03:01:33PM -0600, Blake McNeill developed
a new theory of relativity and: 
> My first guess would be that your seeing the effects of SirCam.  In addition
> to being spread by email SirCam once installed looks for open file shares on
> other machine on the network to infect.  It does this by check port 139.  If
> you like, I have been keeping statistics concerning Red Code and SirCam on
> my local @Home providers and have posted the resulting graphs on
> http://members.home.net/mcneillb/.  SirCam first showed up on our local ISP
> on July 19th or 20th and has been very persistent since then with anywhere
> from 15 - 45 probes a day to my system.

That's weird, because @Home has filters set up for TCP 137-139 and 445
on my subnet that just drop the packets on the floor:

Port       State       Service
21/tcp     open        ftp
25/tcp     filtered    smtp
42/tcp     open        nameserver
80/tcp     open        http
135/tcp    open        loc-srv
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
443/tcp    open        https
445/tcp    filtered    microsoft-ds
1080/tcp   filtered    socks
5631/tcp   open        pcanywheredata

Outgoing is blocked too.  

 - Jason

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com