From: WilliamsJonathan at JohnDeere.com (Williams Jon)
Subject: Increased TCP 139 Activity

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've had two machines act as if they were infected with something,
one on Saturday, and then one on Monday.  They each went through and
tried to scan a whole Class B network (it failed, due to our
firewalls) on ports 139 and 445, both ports per address, one packet
per host.  Each "infected" machine stopped when they reached the end
of the Class B.  Neither machine "selected" a network to scan that
was related to their own IP address.  Both machines scanned
non-sequentially.

Both machines were taken offline and scanned for viruses.  Both
showed positive for Blaster and one showed positive for a backdoor
called Roxy(?).  Both were cleaned and patched and reconnected, and
we haven't seen another scan like that since, although we've been
watching closely.

- -----Original Message-----
From: Phathat [mailto:phathat@...hmail.com]
Sent: Wednesday, October 08, 2003 9:40 AM
To: Full-Disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Increased TCP 139 Activity


*** PGP SIGNATURE VERIFICATION ***
*** Status:   Unknown Signature
*** Signer:   Unknown Key (0x95584DD8)
*** Signed:   10/8/2003 9:39:50 AM
*** Verified: 10/8/2003 10:50:41 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Check your logs. For the past three hours we've seen a significant
increase
in scanning for TCP port 139 beginning from S. Korea.

*** END PGP VERIFIED MESSAGE ***

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP4Qz5pRee70/469KEQKaEwCg3GoSn+rVEjno0th5k8GM3JUfPdwAoNUb
Mtax0VnIiwrd5UmaSj80Fp95
=b/Pm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists