[Snort-users] Win* machines - port 139 scans
John A. Bornt
greywolf at ...541...
Sun Oct 1 03:22:22 EDT 2000
After looking at Lance's scans I had to laugh. I had a snort box on the wire
of a company I worked for (up until three weeks ago) that was an ISP
downstream from bellsouth.net. We got the exact scans everyday from numerous
bellsouth subnets. I pasted some of the captures into an e-mail to the abuse
address and sent it off with an explanation. Their response was that they
couldn't do anything to help me without timezone information. In other
words, they didn't want to do anything.
Several of those scans turned out to be the Qaz worm. If the amount of such
scans from just one ISP is any indication, then this worm and others are
rampant and going unchecked. Any virus software with a definition file more
than two or three months old will not pick this up. Update, update!!!
----- Original Message -----
From: Lance Spitzner <>
To: James Hoagland <>
Cc: Jerry Shenk <>; <snort-users at lists.sourceforge.net>
Sent: Saturday, September 30, 2000 10:46 AM
Subject: Re: [Snort-users] Win* machines - port 139 scans
> On Fri, 29 Sep 2000, James Hoagland wrote:
> > At 9:39 PM -0400 9/28/00, Jerry Shenk wrote:
> > >There must be a lot of people with open shares on C. I got two hits
> > >evening on port 137 and one had C open and the other didn't.
> > Port 137 is used by NetBIOS for name queries. See:
> > http://www.robertgraham.com/pubs/firewall-seen.html#10
> This has definitely made my 'Scan of The Month'. I've posted the
> packet signatures on my site, including the Src systems that have
> scanned my network 168 times for these vulnerabilities (you can
> check to see if you are being hammered by the same systems).
> Actually, port 137 UDP (nbname) has been twice as popular for my
> PORT 139 TCP (nbsession): 52 scans
> PORT 137 UDP (nbname): 116 scans
> If you are intersted, you can find all the fun details at
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users