North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Port 139 scans
Partially correct. It's a worm.. Windows likes to share drives with no passwords. This worm just logs into those shares, and copies itself into like autoexec.bat. Next boot it infects your system. On a somewhat related note, since we obviously have AOL people living and they now own ICQ. irc.icq.com has been used for weeks for these kiddies to store various ddos clients on. Take a look at #0wned. All compromised machines. There are no live opers to deal with it, and emails to firstname.lastname@example.org go unanswered. Is there any way we can deal with things like this? Jason --- Jason Slagle - CCNA - CCDA Network Administrator - Toledo Internet Access - Toledo Ohio - email@example.com - firstname.lastname@example.org - WHOIS JS10172 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w--- O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+ ------END GEEK CODE BLOCK------ On Wed, 27 Sep 2000, Ben Browning wrote: > I get about 4 or 5 of these a day on my home boxen and I receive 5-10 times > that many abuse complaints regarding this activity. > > My current suspicion is that a backdoor trojan (pause here to decline the > port 139 attempt that just zipped by me) is on the loose and being > propagated like mad. This would certainly fit with the rumour of a huge > DDoS attack in the works, as m@d l33t h@x0rs get as many machines as > possible compromised and ready to help the attack. > > I have noticed that the large majority of these scans from my address space > (126.96.36.199 - 188.8.131.52) are targeted at others in the 216.39.* and > 216.40.* blocks. Also, all of the computers in question seem to be Win9x > boxes. Coincidence? I think not. Perhaps this is a new virus afoot that > replicates itself by hunting through an IP block and the ones above and > below it for an open Windows share. That would make sense, given the data I > have thus far. > > CERT has an advisory up (http://www.cert.org/vul_notes/VN-2000-03.html) > about NetBIOS DoS attacks, but these don't seem to be hosing networks, just > kind of feeling around.