[31556] in North American Network Operators' Group
Re: Port 139 scans
daemon@ATHENA.MIT.EDU (Etaoin Shrdlu)
Thu Sep 28 11:06:44 2000
Message-ID: <39D35C6B.553D21EF@deaddrop.org>
Date: Thu, 28 Sep 2000 07:57:47 -0700
From: Etaoin Shrdlu <shrdlu@deaddrop.org>
MIME-Version: 1.0
To: nanog@merit.edu
Cc: Dana Hudes <dhudes@hudes.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Dana Hudes wrote:
>
> Yes but in the past few days activity has stepped up tremendously.
> Where my webserver, which uses Samba to communicate with my local
> desktop win98 machine (the latter is client, no shares exported)
> used to get once in a couple months an attempt on port 139 now I
> have 45 / day.
I also use Concentric. I have seen a huge upsurge in 139 scans, and
whenever I connect to the magic port (7597) for curiosity's sake, I get
the prompt that shows it's infected. It isn't your imagination. Before
someone comments on the fact that these are natural, I will state that I
log everything, all the time, and the upswing has been recent, and
dramatic. From a natural 2 or 3 an hour, I have seen it surge to
> Furthermore, they're overwhelmingly from customers of my upstream --
> Concentric. A handful from @home and others. I reported this to
> Concentric with the log.smb file in the message. No response 3 days
> later.
I am wondering which address you mailed this to. I am aware that there
is at least one person from concentric (or nextlink) that reads this
list, so that may help. I've engaged portsentry, specifically looking
for those machines that I see that are infected with a variant of the
notepad trojan (and thanks to ken lindahl for posting that link to NAI,
so that I didn't have to go guessing for which port was the magic one).
I will be emailing concentric later this evening, with a list of
machines that I have verified as containing the trojan. I usually have
good response from them, but haven't really tried an email since they
combined with Nextlink.
.shrdlu
--
Modems connected to LANs are your friend.
-kmart
