Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Strange 135 Win9x traffic

From: "Marc Quibell" <mquibell () fbfs com>
Date: Thu, 28 Aug 2003 10:27:15 -0500


This is not so much about Snort, but....er....

Anybody else seeing this stuff? Port 135 traffic to one IP on the 0/8 subnet? It
 seems to me to be a half-failed attempt to infect Winblows 9x workstations
with the blaster worm. Seemed to appear at about the same time as Blaster. Goes
off every few seconds or so..

10:08:29.803694 0:e0:f7:7a:c9:80 0:2:55:58:cc:78 ip 62:
workstation.ourdomain.com.3843 > 0.21.113.47.135: S [tcp sum ok]
97758436:97758436(0) win 8192
<mss 1460,nop,nop,sackOK> (DF) (ttl 126, id 42104, len 48)

TIA!

Marc




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: