Snort mailing list archives
Re: Question on particular port scan of port 139/TCP
From: Sean O'Neill <swoneill () bigfoot com>
Date: Fri, 24 Aug 2001 23:44:51 -0500
Well, I'm not related to either of these computers in any way. Never heard of these guys before.
I'm running a Win2K Pro laptop but its behind a Solaris 8 firewall running IPF. All their probes are getting dropped by my firewall. Their probes are all 139/TCP Syn packets. There aren't any Syn/Ack coming from them to me so I'm pretty sure I'm not initiating this.
Its sounds like this "probe" starts everytime they power their machines up. Also, I usually get probed again in the afternoon but I'm not sure what they are doing to make this happen. The probes are abusive. Maybe 12-20 packets for each burst then it stops. I wouldn't be surprised if I'm not they only one getting "scanned".
I'm not an NT guy at all. Hoping to understand if a WINS server could be initiating this when various NT services are started for the first time on a box or if maybe these guys have be compromised in some way.
At 04:39 PM 8/24/2001 +0000, J. C. Woods wrote:
Sean O'Neill wrote: > > Gotta a question. > > There are two systems that scan me every morning on port 139/TCP. I've > called the owners. They are a small trucking company with no IT > department. They are network/Internet newbies and have no knowledge of why > their machines are doing this. They power down their servers at COB. It > appears every work day when the power their servers up these machines scan > me. Then in the afternoon I might get scanned again. What is weird is > their servers are specifically scanning each of my 5 IPs. I've never heard > of the NETBIOS Session Service doing this before. I don't get scanned all > day. Just once or twice a day - that's it. > > So could this be: > > 1) Related to a netmask issue. They are using the same ISP I am with the > same 8 (with 5 usage) static IP package from SWB. So their netmask should > be /29. I can't imagine this could be it because they would have several > other problems if their netmask wasn't correct. > > 2) Is there an NT compromise that fits this sort of activity their machines > may be unfortunate enough to be hosting ? > > Any thoughts appreciated. > Hmmm, a lot depends on the particular OS's involved here, your and theirs. And is one of you running Windows Server with the WINS server enabled. It could be an attempt by a WINS Server, depending on who is running this service, to query what it believes to be a NETBIOS client. Some more info about the particulars is needed to fully understand what is going on... drjung -- J. Craig Woods UNIX SA -Art is the illusion of spontaneity-
- ........................................................ ......... ..- -. .. -..- .-. ..- .-.. . ... ............ .-- .. -. -... .-.. --- .-- ... -.. .-. --- --- .-.. ... Sean O'Neill _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on particular port scan of port 139/TCP Sean O'Neill (Aug 24)
- Re: Question on particular port scan of port 139/TCP J. C. Woods (Aug 24)
- Re: Question on particular port scan of port 139/TCP Sean O'Neill (Aug 24)
- Re: Question on particular port scan of port 139/TCP J. C. Woods (Aug 24)