[Dshield] Anyone else see an increase in port 139?

Kelly Martin kmartin at pyrzqxgl.org
Wed Jul 17 18:54:03 GMT 2002


Yes, my port 139 traffic has risen from 0-30 a day to 100-150 a day,
effective 7/2, with an unusual surge of 4181 yesterday.  133 so far today
which seems to be about the new baseline.  Firewall covers 512 IPs.  Most of
yesterday's surge is attributable to two IPs (65.82.29.88, 2032 hits, and
216.88.252.199, 1908 hits).  Most other IPs logged either 3 or 4 hits.
Prior to 7/2, almost entirety of traffic logged in a day is due to the same
single IP (a known configuration problem at an affiliated organization).
Suspect that two new tools are in use, one released 7/2 that sends 3 or 4
packets to random hosts, and one released yesterday that sends 3 or 4
packets per host in a linear netblock scan.

Kelly

----- Original Message -----
From: "Tim Rushing" <dshield at threenorth.com>
To: <list at dshield.org>
Sent: Wednesday, July 17, 2002 11:34 AM
Subject: [Dshield] Anyone else see an increase in port 139?


> Since about 5pm yesterday, I've seen multiple port 139 scans from 5
> different ip addresses.
>
> Discounting the past 24 hours, in the last month, I've only seen scans
from
> 4 different ips and all of those within the last week.  None in the 3
weeks
> before.
>
>         ---Tim Rushing
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list