[Snort-users] Win* machines - port 139 scans

DmuZ DmuZ at ...324...
Tue Sep 26 11:10:15 EDT 2000


I was getting an excessive amount of port 139 scans over the past few weeks.
In the neighborhood of 5-10 a day from external nets. That worm sounds right
on the money. All the scans were from a wide variety of IPs, and at all
different times.

Anyway I just did an input deny port 137-139 on my router.

DmuZ


----- Original Message -----
From: Jerry Shenk <jas at ...129...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, September 26, 2000 3:31 AM
Subject: Re: [Snort-users] Win* machines - port 139 scans


| That description is right on the money - I got another alarm yesterday and
| looked in the startup directory for some kind of a Trojan and found that
| network.vbs script.  I tried to look at it and my anti-virus locked me
from
| viewing it.  I didn't try anything more than that.
|
| ----- Original Message -----
| From: "gw" <gw at ...515...>
| To: "Michael Davis" <mike at ...92...>
| Cc: "Snort Users" <snort-users at lists.sourceforge.net>; "Jerry Shenk"
| <jas at ...129...>
| Sent: Tuesday, September 26, 2000 1:50 AM
| Subject: Re: [Snort-users] Win* machines - port 139 scans
|
|
| >
| > >> etc. wide open.  How do you 'take over' a Win* machine?  I suppose
| > >> some type of Trojan in the startup file or something like that?
| > >
| > > Could be some sorta of Share-level password bruteforcer or someone
| > > looming for shares with no passwords.
| > >
| > > Just an idea.
| >
| > I've been seeing these like so using ipf:
| >
| > Sep 25 22:33:33 pointsman ipmon[30154]: 22:33:33.181041
| > tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
| > 48 -S
| > Sep 25 22:33:36 pointsman ipmon[30154]: 22:33:36.003600
| > tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
| > 48 -S
| > Sep 25 22:33:42 pointsman ipmon[30154]: 22:33:42.009585
| > tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
| > 48 -S
| > Sep 25 22:33:54 pointsman ipmon[30154]: 22:33:54.033298
| > tun0 @0:37 b 207.172.166.202,1532 -> 207.172.166.68,139 PR tcp len 20
| > 48 -S
| >
| > Every time I see it the relevant source address' port 139 is wide open.
| >
| > Notice that these are dialup IP addresses near my own.  The
| > characteristics are:  per connect, the source port never varies;
| > attempts are always at sub-ten-second intervals.
| >
| > This from the Network ICE page
| > http://advice.networkice.com/Advice/Phauna/Worm/NetBIOS/Network.VBS/defa
| > ult.htm:
| >
| > Network.VBS:
| >
| > A worm that spreads via File and Print Sharing.
| >
| > Details The worm scans random IP addresses and
| > attempts to connect to drives shared under the name "C".
| >
| > Once it connects, it will attempt to write itself
| > into the startup folder (such as "C:\Windows\Start
| > Menu\Programs\Startup").
| >
| > The next time the user reboots, the worm will be
| > launched on the newly infected machine, and will attempt to
| > find other machines.
| >
| > It's one possibility.
| >
| > HTH
| >
| > Greg
| >
| > ---
| > It don't mean a thing... if it ain't got that other thing.
|
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| http://lists.sourceforge.net/mailman/listinfo/snort-users
|




More information about the Snort-users mailing list