[Dshield] RE: Recent jump in Port 135 Targets in DShield Data

John Sage jsage at finchhaven.com
Tue Sep 23 15:42:48 GMT 2003

Ed, et al:

On Tue, Sep 23, 2003 at 07:39:35AM -0500, Ed Truitt wrote:
> David Mehl wrote:
/* snip */
> I am not sure they are the "same old addresses", there is the distinct 
> possibility that new attackers are coming online at about the same rate 
> that Blasters are being disinfected.  However, I noticed that we DID hit 
> a million targets for 135 probes yesterday, even though the activity on 
> my own tarpit is at about the same level as before, and almost all of 
> the 135 probes appear to be coming from the same /8 netblock (216) that 
> I am on.
> I can try to capture some sample packets, and see if there is something 
> new.  Of course, if someone more versed in this than I can or has done 
> so, it would be much easier and faster.

I've had some specific snort rules alerting on known TCP:135 packet
contents for several days, and I haven't seen anything new yet
(although it's like looking for the needle-in-the-packet-dump...)

- John
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.

More information about the list mailing list