Snort mailing list archives
Re: portscan destination port 137
From: Axel Pettinger <api () epost de>
Date: Fri, 15 Nov 2002 07:49:50 +0100
Security Admin wrote:
I've seen these regularly over the past couple of weeks. Dshield.org is reporting its top attacking IP is scanning port 137. And incidents.org has the following... http://isc.incidents.org/port_details.html?port=137 We now believe that these port 137 scans are due to the 'Bugbear' mass mailing virus and the 'Scrup' worm.
No, "Bugbear" is not and cannot be the source as it only enumerates local network resources to find open shares.
Scrup: http://vil.mcafee.com/dispVirus.asp?virus_k=99729
http://www.sophos.com/virusinfo/analyses/w32opaserva.html http://www.Europe.F-Secure.com/v-descs/opasoft.shtml "Scrup", now better known as the "Opaserv" worm is probably responsible for the majority of port 137 scans. Several variants exist. It's an aggressive spreader which attacks Win9x/ME machines which have open shares or are vulnerable for the "Share Level Password" vulnerability (MS00-072). Regards, Axel Pettinger ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan destination port 137 Michael (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- <Possible follow-ups>
- Re: portscan destination port 137 Eric Joe (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)
- Re: portscan destination port 137 Axel Pettinger (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)