RE: Recent Increase in Port 139 Activity

[John Campbell <jcampbell () wsipc org>]

Poking a hole and setting up a port listener is not a bad idea - it would
give us more packet detail then a listener outside the firewall, passively
monitoring what went by on the wire.  Will keep the list posted (it may be a
few days before it gets done 8^( )
John

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Sunday, September 09, 2001 1:07 PM
To: John Campbell; 'incidents () securityfocus com'
Subject: Re: Recent Increase in Port 139 Activity


John,

> In the last week, I've started seeing one to several
> port sweeps per day on
> port 139, of a particular nature.  

First off, I'm not sure how the traffic you describe
is "particular" in nature...could you elaborate? 
After all, your firewall drops it...right?

Second, I'd be very interested to see what happens if
you can get some packet data.  Generally, the SYN
packet won't have any data of interest...you'd have to
let the handshake complete, and then see what data is
sent to the host.  Perhaps if you opened a hole to a
single machine on port 139, but to a Linux box...with
nothing running on that port except a generic
listener.  That way, the handshake would be completed,
and we'd be able to see what data would be sent once
that's done.

At the very least, we'd be able to see what it is, and
maybe put an end to the speculation about this worm or
that worm... 
 


__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com