[Snort-users] Win* machines - port 139 scans

Jerry Shenk jas at ...129...
Thu Sep 28 21:39:05 EDT 2000


There must be a lot of people with open shares on C.  I got two hits this
evening on port 137 and one had C open and the other didn't.

----- Original Message -----
From: "Andrew Daviel" <andrew at ...523...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, September 28, 2000 2:46 PM
Subject: Re: [Snort-users] Win* machines - port 139 scans


> On Tue, 26 Sep 2000, Kevin Bogac wrote:
>
> > We've got a rash of funlove viruses running around the internal
> > network and they're showing up as loads of netbios port scans. I
> > guess the virus scans for other boxes with shares so it can spread.
> > You could be seeing the same thing.
> >
> > On 25 Sep 2000, at 21:39, Jerry Shenk wrote:
> >
> > > I've been getting a TON of scans on port 139 for the past week....port
> > > 139's been fairly high for awhile but in the last week, it's probably
>
> I've seen lots of port 137 scans - 254 addresses from a class C,
> source port 137 dest port 137 - which I attribute to
> VBS/Netlog.worm.a
> Recently someone told me about a QAZ virus that also listens on
> port 7597 and uses Windows shares to spread
>
> http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
> http://security.sdsc.edu/publications/network.vbs.shtml
> http://vil.nai.com/villib/dispvirus.asp?virus_k=98477
>
> etc.
>
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> security at ...524...
> PGP ID 0xC7624B49
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list