nanog mailing list archives
Re: Port 139 scans
From: ken lindahl <lindahl () ack Berkeley EDU>
Date: Wed, 27 Sep 2000 11:43:43 -0700 (PDT)
On Wed, 27 Sep 2000, Bill Becker wrote:
Speaking of the internet and the way it operates, is anyone else seeing a large number of random hosts scanning through their address space using TCP on port 139? Bill
we've seen similar scans here at UCB, and have traced a number of them
to a win32 trojan variously named {note.com,Qaz.Trojan,QAZ.worm,TROJ_QAZ.A,
Trojan/Notepad,W32.HLLW.Qaz.A}. if you're so inclined, you can test
for this by telnetting to port 7597 on the machine that scanned you.
http://vil.nai.com/villib/dispVirus.asp?virus_k=98775 for details.
ken
Current thread:
- Re: Port 139 scans ken lindahl (Sep 27)
- <Possible follow-ups>
- RE: Port 139 scans Roeland M.J. Meyer (Sep 27)
- Re: Port 139 scans Roland Dobbins (Sep 27)
- RE: Port 139 scans Roeland M.J. Meyer (Sep 27)
- Re: Port 139 scans vern (Sep 28)
- Re: Port 139 scans Ben Browning (Sep 28)
- Re: Port 139 scans Roland Dobbins (Sep 28)
- Re: Port 139 scans Ben Browning (Sep 28)