Security Incidents mailing list archives
RE: TCP port 139 probes
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 12 Jul 2002 17:08:40 -0600 (MDT)
On Wed, 10 Jul 2002, Pavel Kankovsky wrote:
winhlp32.exe A 317440 Fri Jul 5 15:43:08 2002 notepad.exe A 317440 Fri Jul 5 15:43:08 2002 control.exe A 317440 Fri Jul 5 15:43:08 2002 scanregw.exe A 317440 Fri Jul 5 15:43:08 2002 ifnhlp.sys A 317440 Tue Jul 9 22:20:00 2002 scanregw.exe A 317440 Fri Jul 5 15:43:40 2002 loadpe.com A 317440 Fri Jul 5 15:43:40 2002 msiexec.exe A 317440 Fri Jul 5 15:43:08 2002 wf2k.exe A 317440 Fri Jul 5 15:43:40 2002
Pavel provided me some samples off-list. The ones shown here are identified as Stator by the f-prot DOS scanner. http://securityresponse.symantec.com/avcenter/venc/data/w32.stator () mm html A few other files (not shown in this note) are Datom: http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html Datom scans for open shares, so that's the port 139 traffic. The Symantec description of the Stator worm says it's a mass-mailer, so I'm not sure how that relates, or why they are there. The filenames match, though. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP port 139 probes Pavel Kankovsky (Jul 09)
- Re: TCP port 139 probes H C (Jul 09)
- <Possible follow-ups>
- RE: TCP port 139 probes Dan Irwin (Jul 09)
- RE: TCP port 139 probes Pavel Kankovsky (Jul 10)
- RE: TCP port 139 probes Brenna Primrose (Jul 10)
- RE: TCP port 139 probes H C (Jul 10)
- RE: TCP port 139 probes Ryan Russell (Jul 12)
- RE: TCP port 139 probes Pavel Kankovsky (Jul 10)