RE: Recent Increase in Port 139 Activity

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: John Campbell [mailto:jcampbell () wsipc org]
> Sent: Friday, September 07, 2001 2:53 PM
>
> In the last week, I've started seeing one to several port 
> sweeps per day on
> port 139, of a particular nature.  Typically the sweep will 
> hit .1 to .255
> of a 24 bit net mask sized address block (generally called, "Class
> C" although this can be erroneous) four times.  

I have seen an increase since last week as well. However, the scans
against my machines start at the top of the range and work their way
down.

> Have found 
> nothing written on
> any new worms targetting this port.  Source machines are largely
> North American.

In my case the source was always within close second octet proximity.
MY site is at 65.106, and I have received scans from
65.103-65.108.... maybe a new worm of sorts? (Resurging Hybris or
Explorer variant?)

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: Free Dmitry Sklyarov !

iQA/AwUBO5lIsZytSsEygtEFEQIIDQCg2+3I7T4NPmLGzTlIpi9XvskOtscAnjVc
QzT8oa6IRkxLRTMaxk8hKBqJ
=+Yhw
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com