[Snort-users] Win* machines - port 139 scans

Lance Spitzner lance at ...185...
Sat Sep 30 11:46:59 EDT 2000


On Fri, 29 Sep 2000, James Hoagland wrote:

> At 9:39 PM -0400 9/28/00, Jerry Shenk wrote:
> >There must be a lot of people with open shares on C.  I got two hits this
> >evening on port 137 and one had C open and the other didn't.
> 
> Port 137 is used by NetBIOS for name queries.  See:
> 
>    http://www.robertgraham.com/pubs/firewall-seen.html#10

This has definitely made my 'Scan of The Month'.  I've posted the 
packet signatures on my site, including the Src systems that have
scanned my network 168 times for these vulnerabilities (you can
check to see if you are being hammered by the same systems).

Actually, port 137 UDP (nbname) has been twice as popular for my
site.

PORT 139 TCP (nbsession): 52 scans
PORT 137 UDP (nbname):    116 scans


If you are intersted, you can find all the fun details at
http://www.enteract.com/~lspitz

lance




More information about the Snort-users mailing list