Security Incidents mailing list archives

TCP port 139 probes

From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Tue, 9 Jul 2002 22:21:35 +0200 (MET DST)

I have detected a noticeable increase of (blocked) attempts to connect
to the TCP port 139 on machines in our network. Look at these numbers
(number of blocked packets per a day):

      1 Jun 10
      5 Jun 11
     13 Jun 12
     15 Jun 13
      3 Jun 15
      3 Jun 16
      4 Jun 17
     13 Jun 18
     18 Jun 19
     16 Jun 20
     15 Jun 21
      4 Jun 22
      2 Jun 23
     23 Jun 24
     18 Jun 25
     44 Jun 26
     95 Jun 27
    112 Jun 28
     84 Jun 29
     53 Jun 30
    130 Jul  1
    191 Jul  2
    227 Jul  3
    235 Jul  4
    226 Jul  5
    185 Jul  6
    167 Jul  7
    350 Jul  8
    199 Jul  9

These probes are not (ordinary) scans but isolated attempts by seemingly
random remote IP addresses to open connection to seemingly random local IP
addresses. In many cases, the destination is an unused address.

This is very suspicious.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP port 139 probes Pavel Kankovsky (Jul 09)
- Re: TCP port 139 probes H C (Jul 09)
- <Possible follow-ups>
- RE: TCP port 139 probes Dan Irwin (Jul 09)
  - RE: TCP port 139 probes Pavel Kankovsky (Jul 10)
    - RE: TCP port 139 probes Brenna Primrose (Jul 10)
    - RE: TCP port 139 probes H C (Jul 10)
    - RE: TCP port 139 probes Ryan Russell (Jul 12)