Snort mailing list archives
Question on particular port scan of port 139/TCP
From: Sean O'Neill <swoneill () bigfoot com>
Date: Fri, 24 Aug 2001 14:41:56 -0500
Gotta a question.There are two systems that scan me every morning on port 139/TCP. I've called the owners. They are a small trucking company with no IT department. They are network/Internet newbies and have no knowledge of why their machines are doing this. They power down their servers at COB. It appears every work day when the power their servers up these machines scan me. Then in the afternoon I might get scanned again. What is weird is their servers are specifically scanning each of my 5 IPs. I've never heard of the NETBIOS Session Service doing this before. I don't get scanned all day. Just once or twice a day - that's it.
So could this be:1) Related to a netmask issue. They are using the same ISP I am with the same 8 (with 5 usage) static IP package from SWB. So their netmask should be /29. I can't imagine this could be it because they would have several other problems if their netmask wasn't correct.
2) Is there an NT compromise that fits this sort of activity their machines may be unfortunate enough to be hosting ?
Any thoughts appreciated. - ........................................................ ......... ..- -. .. -..- .-. ..- .-.. . ... ............ .-- .. -. -... .-.. --- .-- ... -.. .-. --- --- .-.. ... Sean O'Neill _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on particular port scan of port 139/TCP Sean O'Neill (Aug 24)
- Re: Question on particular port scan of port 139/TCP J. C. Woods (Aug 24)
- Re: Question on particular port scan of port 139/TCP Sean O'Neill (Aug 24)
- Re: Question on particular port scan of port 139/TCP J. C. Woods (Aug 24)