[Snort-users] Win* machines - port 139 scans

Andrew Daviel andrew at ...523...
Thu Sep 28 14:46:08 EDT 2000

On Tue, 26 Sep 2000, Kevin Bogac wrote:

> We've got a rash of funlove viruses running around the internal 
> network and they're showing up as loads of netbios port scans. I 
> guess the virus scans for other boxes with shares so it can spread. 
> You could be seeing the same thing.
> On 25 Sep 2000, at 21:39, Jerry Shenk wrote:
> > I've been getting a TON of scans on port 139 for the past week....port
> > 139's been fairly high for awhile but in the last week, it's probably

I've seen lots of port 137 scans - 254 addresses from a class C,
source port 137 dest port 137 - which I attribute to 
Recently someone told me about a QAZ virus that also listens on
port 7597 and uses Windows shares to spread



Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...
PGP ID 0xC7624B49

More information about the Snort-users mailing list