The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: RE: Re: Caller Id and Homeseer Meteor Plugin - help please


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: It can be a new virus?



On Thursday 26 June 2003 18:25, Dan wrote:
> Hi Steven,
>
> I have NETBIOS port scan from all over the world, not from my
neighbours.
> And it is vissible that they are a lot lot more than usual port scans.
> Sometimes they are more than 10 per minute, from totally different IP
> addresses
>
> They are reported by ISS BlackIce.

Well there is nothing hitting my firewall on the netbios ports (137, 138,
139), but I have a fairly high level of noise on my IDS logs.

Ah, just found

http://isc.incidents.org/analysis.html?id=170

Looks like there are a couple of worms on the loose causing netbios scans.
If
you are seeing hits on port 137 first, then 139 if the attacker is getting
any response to the 137 hit (probably not if your IDS is detecting/blocking
it), then this might be the answer.

Alternatively it could be the suspected new worm on the loose has a new
trick.
They identified what was thought to be an early rather bug-ridden copy last
week, but the traffic floating through the net backbones appears to
indicate
there are others out there. One of the tricks is to hide the real IP
address
of the infected machine by firing out loads of packets with falsified
source
addresses. One of them will be the real one, but there is no way to know
which. If you're curious you could try traceroutes and pings to some of the
source IP's just to see how many actually have real systems behind them. It
does sound like the IP range you are in is being targetted, but its
unlikely
to be you specifically.



Steven


Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.