[Snort-users] Win* machines - port 139 scans
jas at ...129...
Thu Sep 28 21:39:05 EDT 2000
There must be a lot of people with open shares on C. I got two hits this
evening on port 137 and one had C open and the other didn't.
----- Original Message -----
From: "Andrew Daviel" <andrew at ...523...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, September 28, 2000 2:46 PM
Subject: Re: [Snort-users] Win* machines - port 139 scans
> On Tue, 26 Sep 2000, Kevin Bogac wrote:
> > We've got a rash of funlove viruses running around the internal
> > network and they're showing up as loads of netbios port scans. I
> > guess the virus scans for other boxes with shares so it can spread.
> > You could be seeing the same thing.
> > On 25 Sep 2000, at 21:39, Jerry Shenk wrote:
> > > I've been getting a TON of scans on port 139 for the past week....port
> > > 139's been fairly high for awhile but in the last week, it's probably
> I've seen lots of port 137 scans - 254 addresses from a class C,
> source port 137 dest port 137 - which I attribute to
> Recently someone told me about a QAZ virus that also listens on
> port 7597 and uses Windows shares to spread
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> security at ...524...
> PGP ID 0xC7624B49
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users