lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AD1BE98A2FADEA49ADBF5B4AC79B7994030AE41B@edxmb1.jdnet.deere.com>
From: WilliamsJonathan at JohnDeere.com (Williams Jon)
Subject: Increased TCP 139 Activity

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've had two machines act as if they were infected with something,
one on Saturday, and then one on Monday.  They each went through and
tried to scan a whole Class B network (it failed, due to our
firewalls) on ports 139 and 445, both ports per address, one packet
per host.  Each "infected" machine stopped when they reached the end
of the Class B.  Neither machine "selected" a network to scan that
was related to their own IP address.  Both machines scanned
non-sequentially.

Both machines were taken offline and scanned for viruses.  Both
showed positive for Blaster and one showed positive for a backdoor
called Roxy(?).  Both were cleaned and patched and reconnected, and
we haven't seen another scan like that since, although we've been
watching closely.

- -----Original Message-----
From: Phathat [mailto:phathat@...hmail.com]
Sent: Wednesday, October 08, 2003 9:40 AM
To: Full-Disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Increased TCP 139 Activity


*** PGP SIGNATURE VERIFICATION ***
*** Status:   Unknown Signature
*** Signer:   Unknown Key (0x95584DD8)
*** Signed:   10/8/2003 9:39:50 AM
*** Verified: 10/8/2003 10:50:41 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Check your logs. For the past three hours we've seen a significant
increase
in scanning for TCP port 139 beginning from S. Korea.

*** END PGP VERIFIED MESSAGE ***

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP4Qz5pRee70/469KEQKaEwCg3GoSn+rVEjno0th5k8GM3JUfPdwAoNUb
Mtax0VnIiwrd5UmaSj80Fp95
=b/Pm
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ