[Dshield] RE: Recent jump in Port 135 Targets in DShield Data
jsage at finchhaven.com
Tue Sep 23 15:42:48 GMT 2003
Ed, et al:
On Tue, Sep 23, 2003 at 07:39:35AM -0500, Ed Truitt wrote:
> David Mehl wrote:
/* snip */
> I am not sure they are the "same old addresses", there is the distinct
> possibility that new attackers are coming online at about the same rate
> that Blasters are being disinfected. However, I noticed that we DID hit
> a million targets for 135 probes yesterday, even though the activity on
> my own tarpit is at about the same level as before, and almost all of
> the 135 probes appear to be coming from the same /8 netblock (216) that
> I am on.
> I can try to capture some sample packets, and see if there is something
> new. Of course, if someone more versed in this than I can or has done
> so, it would be much easier and faster.
I've had some specific snort rules alerting on known TCP:135 packet
contents for several days, and I haven't seen anything new yet
(although it's like looking for the needle-in-the-packet-dump...)
"Warning: time of day goes back, taking countermeasures."
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.
More information about the list