North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Port 139 scans
Dana Hudes wrote: > > Yes but in the past few days activity has stepped up tremendously. > Where my webserver, which uses Samba to communicate with my local > desktop win98 machine (the latter is client, no shares exported) > used to get once in a couple months an attempt on port 139 now I > have 45 / day. I also use Concentric. I have seen a huge upsurge in 139 scans, and whenever I connect to the magic port (7597) for curiosity's sake, I get the prompt that shows it's infected. It isn't your imagination. Before someone comments on the fact that these are natural, I will state that I log everything, all the time, and the upswing has been recent, and dramatic. From a natural 2 or 3 an hour, I have seen it surge to > Furthermore, they're overwhelmingly from customers of my upstream -- > Concentric. A handful from @home and others. I reported this to > Concentric with the log.smb file in the message. No response 3 days > later. I am wondering which address you mailed this to. I am aware that there is at least one person from concentric (or nextlink) that reads this list, so that may help. I've engaged portsentry, specifically looking for those machines that I see that are infected with a variant of the notepad trojan (and thanks to ken lindahl for posting that link to NAI, so that I didn't have to go guessing for which port was the magic one). I will be emailing concentric later this evening, with a list of machines that I have verified as containing the trojan. I usually have good response from them, but haven't really tried an email since they combined with Nextlink. .shrdlu -- Modems connected to LANs are your friend. -kmart
|