North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 139 scans

  • From: Ben Browning
  • Date: Wed Sep 27 14:38:14 2000

At 01:14 PM 9/27/00 -0400, Bill Becker wrote:

>Speaking of the internet and the way it operates, is anyone
>else seeing a large number of random hosts scanning through
>their address space using TCP on port 139?

I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times that many abuse complaints regarding this activity.

My current suspicion is that a backdoor trojan (pause here to decline the port 139 attempt that just zipped by me) is on the loose and being propagated like mad. This would certainly fit with the rumour of a huge DDoS attack in the works, as [email protected] l33t [email protected] get as many machines as possible compromised and ready to help the attack.

I have noticed that the large majority of these scans from my address space ( - are targeted at others in the 216.39.* and 216.40.* blocks. Also, all of the computers in question seem to be Win9x boxes. Coincidence? I think not. Perhaps this is a new virus afoot that replicates itself by hunting through an IP block and the ones above and below it for an open Windows share. That would make sense, given the data I have thus far.

CERT has an advisory up ( about NetBIOS DoS attacks, but these don't seem to be hosing networks, just kind of feeling around.

If anyone else has more info, please share it!
Ben Browning <[email protected]> Network Operations
Tel (206) 443-8000 Fax (206) 443-0500