[45709] in North American Network Operators' Group
Re: port 139 scans?
daemon@ATHENA.MIT.EDU (James Cronin)
Wed Feb 13 06:49:19 2002
Date: Wed, 13 Feb 2002 11:48:54 +0000
From: James Cronin <james@unfortu.net>
To: Jasper Wallace <jasper@ivision.co.uk>
Cc: nanog@merit.edu
Message-ID: <20020213114854.GU1297@plum.flirble.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.30.0202131132180.26254-100000@avengers.ivision.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
Port 139's the netbios port.
Is the source address in NTL's 80.0.0.0/13 allocation? They're
using those IPs for their broadband always on cable modem customers.
So it's either some idiot script kiddies running port scanners themselves
or unfirewalled fools who've had their Windows boxes hacked.
J.
x
> Is anyone else seing lots of packets being thrown at port 139?
>
> We're getting 5 or 6 packets a sec, mostly from 80.0.0.0/8 (and all tcp
> syn's).
>
> --
> Internet Vision Internet Consultancy Tel: 020 7589 4500
> 60 Albert Court & Web development Fax: 020 7589 4522
> Prince Consort Road vision@ivision.co.uk
> London SW7 2BE http://www.ivision.co.uk/
>
