[Snort-users] Win* machines - port 139 scans
hoagland at ...47...
Fri Sep 29 11:57:48 EDT 2000
At 9:39 PM -0400 9/28/00, Jerry Shenk wrote:
>There must be a lot of people with open shares on C. I got two hits this
>evening on port 137 and one had C open and the other didn't.
Port 137 is used by NetBIOS for name queries. See:
Port 139 is NetBIOS file and print sharing. For the last couple
weeks there have been lots of scanning going on for this. It is
caused by one of several worms (including the notepad worm). What
you might notice is that the IP address is close to that of the
network scanned. What one of the worms does when it infects a host,
it starts scanning the network for port 139 starting with the IP
address for the host. We have also been seeing scans from IP
addresses just above that of ours too.
The scan is slow enough (say, a half hour to scan a class C) to avoid
setting off the portscan detector, but we have been picking it up
with Spade. Even if you don't use Spade, you can add a rule to look
for port 139 traffic, at least in the outbound direction (which, if
you see scans, would indicate that you have been infected). The scan
of your network is probably mostly harmless unless you get infected
(and this probably has happened already if you are infectable).
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* Voice: (707) 445-4355 x13 Fax: (707) 445-4222 *|
More information about the Snort-users