Snort mailing list archives
Strange 135 Win9x traffic
From: "Marc Quibell" <mquibell () fbfs com>
Date: Thu, 28 Aug 2003 10:27:15 -0500
This is not so much about Snort, but....er.... Anybody else seeing this stuff? Port 135 traffic to one IP on the 0/8 subnet? It seems to me to be a half-failed attempt to infect Winblows 9x workstations with the blaster worm. Seemed to appear at about the same time as Blaster. Goes off every few seconds or so.. 10:08:29.803694 0:e0:f7:7a:c9:80 0:2:55:58:cc:78 ip 62: workstation.ourdomain.com.3843 > 0.21.113.47.135: S [tcp sum ok] 97758436:97758436(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 126, id 42104, len 48) TIA! Marc ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange 135 Win9x traffic Marc Quibell (Aug 28)