[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Re: OT: It can be a new virus?
On Thursday 26 June 2003 18:25, Dan wrote:
> Hi Steven,
>
> I have NETBIOS port scan from all over the world, not from my
neighbours.
> And it is vissible that they are a lot lot more than usual port scans.
> Sometimes they are more than 10 per minute, from totally different IP
> addresses
>
> They are reported by ISS BlackIce.
Well there is nothing hitting my firewall on the netbios ports (137, 138,
139), but I have a fairly high level of noise on my IDS logs.
Ah, just found
http://isc.incidents.org/analysis.html?id=170
Looks like there are a couple of worms on the loose causing netbios scans.
If
you are seeing hits on port 137 first, then 139 if the attacker is getting
any response to the 137 hit (probably not if your IDS is detecting/blocking
it), then this might be the answer.
Alternatively it could be the suspected new worm on the loose has a new
trick.
They identified what was thought to be an early rather bug-ridden copy last
week, but the traffic floating through the net backbones appears to
indicate
there are others out there. One of the tricks is to hide the real IP
address
of the infected machine by firing out loads of packets with falsified
source
addresses. One of them will be the real one, but there is no way to know
which. If you're curious you could try traceroutes and pings to some of the
source IP's just to see how many actually have real systems behind them. It
does sound like the IP range you are in is being targetted, but its
unlikely
to be you specifically.
Steven
Home |
Main Index |
Thread Index
|