[Dshield] Port 139 scans

Jon R. Kibler Jon.Kibler at aset.com
Sun Feb 15 19:30:28 GMT 2004


Has anyone else noticed scans on 139/tcp for multiple sequential IPs? We just had our second scan of this type in recent days. Sorry, no packets are available... just firewall logs showing dropped packets.

> Feb 13 18:46:41 border8215 list 110 denied tcp 61.219.255.50(63803) -> a.b.59.64(139), 1 packet
> Feb 13 18:46:42 border8215 list 110 denied tcp 61.219.255.50(64785) -> a.b.59.83(139), 1 packet
> Feb 13 18:46:44 border8215 list 110 denied tcp 61.219.255.50(63803) -> a.b.59.64(139), 1 packet
> Feb 13 18:46:44 border8215 list 110 denied tcp 61.219.255.50(65227) -> a.b.59.82(139), 1 packet
> Feb 13 18:46:51 border8215 list 110 denied tcp 61.219.255.50(63803) -> a.b.59.64(139), 1 packet
> Feb 13 18:46:52 border8215 list 110 denied tcp 61.219.255.50(65321) -> a.b.59.75(139), 1 packet
> Feb 13 18:46:53 border8215 list 110 denied tcp 61.219.255.50(63641) -> a.b.59.94(139), 1 packet
> Feb 13 19:03:47 border8215 list 110 denied tcp 61.219.255.50(63789) -> a.b.59.64(139), 1 packet
> Feb 13 19:03:48 border8215 list 110 denied tcp 61.219.255.50(65367) -> a.b.59.84(139), 1 packet
> Feb 13 19:03:50 border8215 list 110 denied tcp 61.219.255.50(63789) -> a.b.59.64(139), 1 packet
> Feb 13 19:03:51 border8215 list 110 denied tcp 61.219.255.50(64519) -> a.b.59.83(139), 1 packet
> Feb 13 19:03:57 border8215 list 110 denied tcp 61.219.255.50(63789) -> a.b.59.64(139), 1 packet
> Feb 13 19:03:58 border8215 list 110 denied tcp 61.219.255.50(64501) -> a.b.59.80(139), 1 packet
> Feb 15 13:15:59 border8215 list 110 denied tcp 210.220.29.226(4825) -> a.b.58.50(139), 1 packet
> Feb 15 13:26:44 border8215 list 110 denied tcp 210.220.29.226(1266) -> a.b.59.64(139), 1 packet
> Feb 15 13:26:47 border8215 list 110 denied tcp 210.220.29.226(1268) -> a.b.59.65(139), 1 packet
> Feb 15 13:26:50 border8215 list 110 denied tcp 210.220.29.226(1272) -> a.b.59.68(139), 1 packet
> Feb 15 13:26:59 border8215 list 110 denied tcp 210.220.29.226(1276) -> a.b.59.70(139), 1 packet
> Feb 15 13:27:03 border8215 list 110 denied tcp 210.220.29.226(1278) -> a.b.59.71(139), 1 packet
> Feb 15 13:27:06 border8215 list 110 denied tcp 210.220.29.226(1282) -> a.b.59.73(139), 1 packet
> Feb 15 13:27:10 border8215 list 110 denied tcp 210.220.29.226(1284) -> a.b.59.74(139), 1 packet
> Feb 15 13:27:12 border8215 list 110 denied tcp 210.220.29.226(1285) -> a.b.59.75(139), 1 packet
> Feb 15 13:27:18 border8215 list 110 denied tcp 210.220.29.226(1288) -> a.b.59.76(139), 1 packet
> Feb 15 13:27:24 border8215 list 110 denied tcp 210.220.29.226(1289) -> a.b.59.77(139), 1 packet
> Feb 15 13:27:30 border8215 list 110 denied tcp 210.220.29.226(1266) -> a.b.59.64(139), 3 packets
> Feb 15 13:27:32 border8215 list 110 denied tcp 210.220.29.226(1268) -> a.b.59.65(139), 3 packets
> Feb 15 13:27:36 border8215 list 110 denied tcp 210.220.29.226(1272) -> a.b.59.68(139), 3 packets
> Feb 15 13:27:45 border8215 list 110 denied tcp 210.220.29.226(1276) -> a.b.59.70(139), 3 packets
> Feb 15 13:27:49 border8215 list 110 denied tcp 210.220.29.226(1278) -> a.b.59.71(139), 3 packets
> Feb 15 13:27:52 border8215 list 110 denied tcp 210.220.29.226(1282) -> a.b.59.73(139), 3 packets
> Feb 15 13:27:56 border8215 list 110 denied tcp 210.220.29.226(1284) -> a.b.59.74(139), 3 packets
> Feb 15 13:27:58 border8215 list 110 denied tcp 210.220.29.226(1285) -> a.b.59.75(139), 3 packets
> Feb 15 13:28:03 border8215 list 110 denied tcp 210.220.29.226(1288) -> a.b.59.76(139), 3 packets
> Feb 15 13:28:04 border8215 list 110 denied tcp 210.220.29.226(1290) -> a.b.59.78(139), 3 packets
> Feb 15 13:28:10 border8215 list 110 denied tcp 210.220.29.226(1291) -> a.b.59.79(139), 3 packets
> Feb 15 13:28:14 border8215 list 110 denied tcp 210.220.29.226(1294) -> a.b.59.80(139), 3 packets
> Feb 15 13:29:08 border8215 list 110 denied tcp 210.220.29.226(1297) -> a.b.59.82(139), 3 packets
> Feb 15 13:29:24 border8215 list 110 denied tcp 210.220.29.226(1298) -> a.b.59.83(139), 3 packets
> Feb 15 13:30:07 border8215 list 110 denied tcp 210.220.29.226(1299) -> a.b.59.84(139), 3 packets
> Feb 15 13:30:08 border8215 list 110 denied tcp 210.220.29.226(1301) -> a.b.59.85(139), 3 packets
> Feb 15 13:30:35 border8215 list 110 denied tcp 210.220.29.226(1304) -> a.b.59.86(139), 3 packets

Note: We do not have port 139 open on any IP, so I have no idea why certain IPs (e.g., a.b.59.69, a.b.59.81, etc.) would be skipped and why the ranges of IPs shown are all that were scanned in our netblock.

Is this possibly a new worm or ASN exploit?

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list