North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 139 scans

  • From: Jason Slagle
  • Date: Wed Sep 27 14:49:05 2000

Partially correct.

It's a worm..

Windows likes to share drives with no passwords.  This worm just logs into
those shares, and copies itself into like autoexec.bat.  Next boot it
infects your system.

On a somewhat related note, since we obviously have AOL people living and
they now own ICQ. has been used for weeks for these kiddies
to store various ddos clients on.  Take a look at #0wned.  All compromised
machines.  There are no live opers to deal with it, and emails to
[email protected] go unanswered.

Is there any way we can deal with things like this?


Jason Slagle - CCNA - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- [email protected] - [email protected] - WHOIS JS10172
Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w---
O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+

On Wed, 27 Sep 2000, Ben Browning wrote:

> I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times 
> that many abuse complaints regarding this activity.
> My current suspicion is that a backdoor trojan (pause here to decline the 
> port 139 attempt that just zipped by me) is on the loose and being 
> propagated like mad. This would certainly fit with the rumour of a huge 
> DDoS attack in the works, as [email protected] l33t [email protected] get as many machines as 
> possible compromised and ready to help the attack.
> I have noticed that the large majority of these scans from my address space 
> ( - are targeted at others in the 216.39.* and 
> 216.40.* blocks. Also, all of the computers in question seem to be Win9x 
> boxes. Coincidence? I think not. Perhaps this is a new virus afoot that 
> replicates itself by hunting through an IP block and the ones above and 
> below it for an open Windows share. That would make sense, given the data I 
> have thus far.
> CERT has an advisory up ( 
> about NetBIOS DoS attacks, but these don't seem to be hosing networks, just 
> kind of feeling around.