[Snort-users] Win* machines - port 139 scans

Jerry Shenk jas at ...129...
Tue Sep 26 06:31:56 EDT 2000


That description is right on the money - I got another alarm yesterday and
looked in the startup directory for some kind of a Trojan and found that
network.vbs script.  I tried to look at it and my anti-virus locked me from
viewing it.  I didn't try anything more than that.

----- Original Message -----
From: "gw" <gw at ...515...>
To: "Michael Davis" <mike at ...92...>
Cc: "Snort Users" <snort-users at lists.sourceforge.net>; "Jerry Shenk"
<jas at ...129...>
Sent: Tuesday, September 26, 2000 1:50 AM
Subject: Re: [Snort-users] Win* machines - port 139 scans


>
> >> etc. wide open.  How do you 'take over' a Win* machine?  I suppose
> >> some type of Trojan in the startup file or something like that?
> >
> > Could be some sorta of Share-level password bruteforcer or someone
> > looming for shares with no passwords.
> >
> > Just an idea.
>
> I've been seeing these like so using ipf:
>
> Sep 25 22:33:33 pointsman ipmon[30154]: 22:33:33.181041
> tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
> 48 -S
> Sep 25 22:33:36 pointsman ipmon[30154]: 22:33:36.003600
> tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
> 48 -S
> Sep 25 22:33:42 pointsman ipmon[30154]: 22:33:42.009585
> tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
> 48 -S
> Sep 25 22:33:54 pointsman ipmon[30154]: 22:33:54.033298
> tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
> 48 -S
>
> Every time I see it the relevant source address' port 139 is wide open.
>
> Notice that these are dialup IP addresses near my own.  The
> characteristics are:  per connect, the source port never varies;
> attempts are always at sub-ten-second intervals.
>
> This from the Network ICE page
> http://advice.networkice.com/Advice/Phauna/Worm/NetBIOS/Network.VBS/defa
> ult.htm:
>
> Network.VBS:
>
> A worm that spreads via File and Print Sharing.
>
> Details The worm scans random IP addresses and
> attempts to connect to drives shared under the name "C".
>
> Once it connects, it will attempt to write itself
> into the startup folder (such as "C:\Windows\Start
> Menu\Programs\Startup").
>
> The next time the user reboots, the worm will be
> launched on the newly infected machine, and will attempt to
> find other machines.
>
> It's one possibility.
>
> HTH
>
> Greg
>
> ---
> It don't mean a thing... if it ain't got that other thing.




More information about the Snort-users mailing list