Re: OT: It can be a new virus?

["Dan" <dtoma@xxxxxxx>]

Hi Steven,


> Looks like there are a couple of worms on the loose causing netbios
scans.
If
> you are seeing hits on port 137 first, then 139 if the attacker is
getting
> any response to the 137 hit (probably not if your IDS is
detecting/blocking
> it), then this might be the answer.

All of the NETBIOS port probe scans are on port 139 ONLY.
The count of probe per source IP address is between 3 (minimum) and 67
(maximum) only in the last two hours.
>
> Alternatively it could be the suspected new worm on the loose has a
new
trick.
More probable in my case.

> They identified what was thought to be an early rather bug-ridden copy
last
> week, but the traffic floating through the net backbones appears to
indicate
> there are others out there. One of the tricks is to hide the real IP
address
> of the infected machine by firing out loads of packets with falsified
source
> addresses. One of them will be the real one, but there is no way to
know
> which. If you're curious you could try traceroutes and pings to some
of
the
> source IP's just to see how many actually have real systems behind
them.
About 50% are from DNS registered IP addresses, the rest are not registered
in DNS.
I have tested a couple of them and they are at more than 30 hops from me
and
do not aswer to ping commands, which means that probably they does not
exist.

> It does sound like the IP range you are in is being targetted, but its
unlikely
> to be you specifically.
It is possible. I have several computers in the same subnet and all of them
are in the same situation.

BR,
Dan