[Snort-users] Win* machines - port 139 scans

Kevin Bogac kevin at ...150...
Tue Sep 26 18:58:14 EDT 2000

We've got a rash of funlove viruses running around the internal 
network and they're showing up as loads of netbios port scans. I 
guess the virus scans for other boxes with shares so it can spread. 
You could be seeing the same thing.

On 25 Sep 2000, at 21:39, Jerry Shenk wrote:

> I've been getting a TON of scans on port 139 for the past week....port
> 139's been fairly high for awhile but in the last week, it's probably
> doubled or trippled.  I've taken to spot-checking these machines and
> the ones I've checked have all been win* machines and they've all had
> shares and printers, etc. wide open.  How do you 'take over' a Win*
> machine?  I suppose some type of Trojan in the startup file or
> something like that?
> Have other people been seeing this also?
> --------------------------------------------------------------
> Jerry A. Shenk - MCNE, GIAC certified intrusion analyst
> Sr. Systems Engineer - Computer Networking Services
> D&E Communications, Inc.
> jshenk at ...514... (also jas at ...129...)
> 1-877-433-8632 Fax via efax: (603) 250-1453
> my website: http://jerryslinux.dyndns.org/jas

More information about the Snort-users mailing list