Security Incidents: RE: TCP port 139 probes

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: TCP port 139 probes

From: "Dan Irwin" <dan () jackies com au>
Date: Wed, 10 Jul 2002 09:20:34 +1000

I noticed an increase in smb scanning last week, with a lot of machines
on asian or US cable/dsl networks probing networks here.

At least one of these machines appeared to be insecure and i could
enumerate shares etc with smbclient -L.

According to my logs, before July 1 2002, we had 4 netbios probes (This
machine was only installed in mid June).

On July 1 we recieved around 70 probes, and approx. 68 on July 4. 75
probes sofar today. Other days vary a lot.

Infected machines appear to be scanning large ip address ranges. These
machines are scanning every address on our /28 net. (Logs below)

Perhaps a new worm targetting insecure windows machines?

Dan.

<snip>
Jul 10 09:12:37 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.119 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=38950 DF PROTO=TCP SPT=21595 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:37 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
SRC=67.225.115.84 DST=x.x.x.127 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=39206 DF PROTO=TCP SPT=21569 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:39 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.120 LEN=48 TOS=0x00 PREC=0x00 TTL=104
ID=39974 DF PROTO=TCP SPT=21317 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:40 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.121 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=40998 DF PROTO=TCP SPT=21539 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:42 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.122 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=42022 DF PROTO=TCP SPT=21554 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:43 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.123 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=43046 DF PROTO=TCP SPT=21561 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:45 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.124 LEN=48 TOS=0x00 PREC=0x00 TTL=105
ID=44070 DF PROTO=TCP SPT=21596 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:46 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
SRC=67.225.115.84 DST=x.x.x.125 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=45094 DF PROTO=TCP SPT=21599 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:48 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
SRC=67.225.115.84 DST=x.x.x.126 LEN=48 TOS=0x00 PREC=0x00 TTL=107
ID=46118 DF PROTO=TCP SPT=21488 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 
Jul 10 09:12:49 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
SRC=67.225.115.84 DST=x.x.x.127 LEN=48 TOS=0x00 PREC=0x00 TTL=106
ID=47142 DF PROTO=TCP SPT=21569 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
<snip>

--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: dan () jackies com au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: info () jackies com au
Web: http://www.jackies.com.au


-----Original Message-----
From: Pavel Kankovsky [mailto:peak () argo troja mff cuni cz]
Sent: Wednesday, 10 July 2002 6:22 AM
To: incidents () securityfocus com
Subject: TCP port 139 probes


I have detected a noticeable increase of (blocked) attempts to connect
to the TCP port 139 on machines in our network. Look at these numbers
(number of blocked packets per a day):

      1 Jun 10
      5 Jun 11
     13 Jun 12
     15 Jun 13
      3 Jun 15
      3 Jun 16
      4 Jun 17
     13 Jun 18
     18 Jun 19
     16 Jun 20
     15 Jun 21
      4 Jun 22
      2 Jun 23
     23 Jun 24
     18 Jun 25
     44 Jun 26
     95 Jun 27
    112 Jun 28
     84 Jun 29
     53 Jun 30
    130 Jul  1
    191 Jul  2
    227 Jul  3
    235 Jul  4
    226 Jul  5
    185 Jul  6
    167 Jul  7
    350 Jul  8
    199 Jul  9

These probes are not (ordinary) scans but isolated attempts by seemingly
random remote IP addresses to open connection to seemingly random local
IP
addresses. In many cases, the destination is an unused address.

This is very suspicious.

--Pavel Kankovsky aka Peak  [ Boycott
Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for
assimilation."


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

TCP port 139 probes Pavel Kankovsky (Jul 09)
- Re: TCP port 139 probes H C (Jul 09)
- <Possible follow-ups>
- RE: TCP port 139 probes Dan Irwin (Jul 09)
  - RE: TCP port 139 probes Pavel Kankovsky (Jul 10)
    - RE: TCP port 139 probes Brenna Primrose (Jul 10)
    - RE: TCP port 139 probes H C (Jul 10)
    - RE: TCP port 139 probes Ryan Russell (Jul 12)