[Snort-users] Win* machines - port 139 scans

gw gw at ...515...
Tue Sep 26 01:50:26 EDT 2000


 
>> etc. wide open.  How do you 'take over' a Win* machine?  I suppose
>> some type of Trojan in the startup file or something like that?
> 
> Could be some sorta of Share-level password bruteforcer or someone
> looming for shares with no passwords.
> 
> Just an idea.

I've been seeing these like so using ipf:

Sep 25 22:33:33 pointsman ipmon[30154]: 22:33:33.181041            
tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
48 -S
Sep 25 22:33:36 pointsman ipmon[30154]: 22:33:36.003600            
tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
48 -S
Sep 25 22:33:42 pointsman ipmon[30154]: 22:33:42.009585            
tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
48 -S
Sep 25 22:33:54 pointsman ipmon[30154]: 22:33:54.033298            
tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
48 -S        

Every time I see it the relevant source address' port 139 is wide open.

Notice that these are dialup IP addresses near my own.  The
characteristics are:  per connect, the source port never varies;
attempts are always at sub-ten-second intervals. 

This from the Network ICE page
http://advice.networkice.com/Advice/Phauna/Worm/NetBIOS/Network.VBS/defa
ult.htm:

Network.VBS: 

A worm that spreads via File and Print Sharing. 

Details The worm scans random IP addresses and
attempts to connect to drives shared under the name "C". 

Once it connects, it will attempt to write itself
into the startup folder (such as "C:\Windows\Start
Menu\Programs\Startup"). 

The next time the user reboots, the worm will be
launched on the newly infected machine, and will attempt to
find other machines. 

It's one possibility.

HTH

Greg

---
It don't mean a thing... if it ain't got that other thing.



More information about the Snort-users mailing list