North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 139 scans

  • From: Etaoin Shrdlu
  • Date: Thu Sep 28 11:07:40 2000

Dana Hudes wrote:
> Yes but in the past few days activity has stepped up tremendously.
> Where my webserver, which uses Samba to communicate with my local
> desktop win98 machine (the latter is client, no shares exported)
> used to get once in a couple months an attempt on port 139 now I
> have 45 / day.

I also use Concentric. I have seen a huge upsurge in 139 scans, and
whenever I connect to the magic port (7597) for curiosity's sake, I get
the prompt that shows it's infected. It isn't your imagination. Before
someone comments on the fact that these are natural, I will state that I
log everything, all the time, and the upswing has been recent, and
dramatic. From a natural 2 or 3 an hour, I have seen it surge to 

> Furthermore, they're overwhelmingly from customers of my upstream --
> Concentric. A handful from @home and others. I reported this to
> Concentric with the log.smb file in the message. No response 3 days
> later.

I am wondering which address you mailed this to. I am aware that there
is at least one person from concentric (or nextlink) that reads this
list, so that may help. I've engaged portsentry, specifically looking
for those machines that I see that are infected with a variant of the
notepad trojan (and thanks to ken lindahl for posting that link to NAI,
so that I didn't have to go guessing for which port was the magic one).
I will be emailing concentric later this evening, with a list of
machines that I have verified as containing the trojan. I usually have
good response from them, but haven't really tried an email since they
combined with Nextlink.


Modems connected to LANs are your friend.