The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: [OT] mobile data message


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: It can be a new virus?



Hi Steven,


> Looks like there are a couple of worms on the loose causing netbios
scans.
If
> you are seeing hits on port 137 first, then 139 if the attacker is
getting
> any response to the 137 hit (probably not if your IDS is
detecting/blocking
> it), then this might be the answer.

All of the NETBIOS port probe scans are on port 139 ONLY.
The count of probe per source IP address is between 3 (minimum) and 67
(maximum) only in the last two hours.
>
> Alternatively it could be the suspected new worm on the loose has a
new
trick.
More probable in my case.

> They identified what was thought to be an early rather bug-ridden copy
last
> week, but the traffic floating through the net backbones appears to
indicate
> there are others out there. One of the tricks is to hide the real IP
address
> of the infected machine by firing out loads of packets with falsified
source
> addresses. One of them will be the real one, but there is no way to
know
> which. If you're curious you could try traceroutes and pings to some
of
the
> source IP's just to see how many actually have real systems behind
them.
About 50% are from DNS registered IP addresses, the rest are not registered
in DNS.
I have tested a couple of them and they are at more than 30 hops from me
and
do not aswer to ping commands, which means that probably they does not
exist.

> It does sound like the IP range you are in is being targetted, but its
unlikely
> to be you specifically.
It is possible. I have several computers in the same subnet and all of them
are in the same situation.

BR,
Dan




Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.