[31531] in North American Network Operators' Group
Re: Port 139 scans
daemon@ATHENA.MIT.EDU (Ben Browning)
Wed Sep 27 14:37:26 2000
Message-Id: <5.0.0.25.2.20000927113355.027373d0@mail.oz.net>
Date: Wed, 27 Sep 2000 11:35:23 -0700
To: nanog@merit.edu
From: Ben Browning <benb@oz.net>
In-Reply-To: <Pine.LNX.4.21.0009271425140.10543-100000@Overkill.EnterZon
e.Net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 01:14 PM 9/27/00 -0400, Bill Becker wrote:
>Speaking of the internet and the way it operates, is anyone
>else seeing a large number of random hosts scanning through
>their address space using TCP on port 139?
I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times
that many abuse complaints regarding this activity.
My current suspicion is that a backdoor trojan (pause here to decline the
port 139 attempt that just zipped by me) is on the loose and being
propagated like mad. This would certainly fit with the rumour of a huge
DDoS attack in the works, as m@d l33t h@x0rs get as many machines as
possible compromised and ready to help the attack.
I have noticed that the large majority of these scans from my address space
(216.39.128.0 - 216.39.192.255) are targeted at others in the 216.39.* and
216.40.* blocks. Also, all of the computers in question seem to be Win9x
boxes. Coincidence? I think not. Perhaps this is a new virus afoot that
replicates itself by hunting through an IP block and the ones above and
below it for an open Windows share. That would make sense, given the data I
have thus far.
CERT has an advisory up (http://www.cert.org/vul_notes/VN-2000-03.html)
about NetBIOS DoS attacks, but these don't seem to be hosing networks, just
kind of feeling around.
If anyone else has more info, please share it!
---
Ben Browning <benb@oz.net>
oz.net Network Operations
Tel (206) 443-8000 Fax (206) 443-0500
http://www.oz.net/
