[Snort-users] Win* machines - port 139 scans

James Hoagland hoagland at ...47...
Fri Sep 29 11:57:48 EDT 2000


At 9:39 PM -0400 9/28/00, Jerry Shenk wrote:
>There must be a lot of people with open shares on C.  I got two hits this
>evening on port 137 and one had C open and the other didn't.

Port 137 is used by NetBIOS for name queries.  See:

   http://www.robertgraham.com/pubs/firewall-seen.html#10


Port 139 is NetBIOS file and print sharing.  For the last couple 
weeks there have been lots of scanning going on for this.  It is 
caused by one of several worms (including the notepad worm).  What 
you might notice is that the IP address is close to that of the 
network scanned.  What one of the worms does when it infects a host, 
it starts scanning the network for port 139 starting with the IP 
address for the host.  We have also been seeing scans from IP 
addresses just above that of ours too.

The scan is slow enough (say, a half hour to scan a class C) to avoid 
setting off the portscan detector, but we have been picking it up 
with Spade.  Even if you don't use Spade, you can add a rule to look 
for port 139 traffic, at least in the outbound direction (which, if 
you see scans, would indicate that you have been infected).  The scan 
of your network is probably mostly harmless unless you get infected 
(and this probably has happened already if you are infectable).

Regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|



More information about the Snort-users mailing list