[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Re: OT: It can be a new virus?
Hi Steven,
I just filter the TCP port 139 and now everythjing is quit on my subnet.
Checking the router, I have seen that the attacks target all the computers
>from
Best regards,
Dan
----- Original Message -----
From: "Steven Edgar" <yahoogroups@xxxxxxx>
To: <ukha_d@xxxxxxx>
Sent: Thursday, June 26, 2003 9:00 PM
Subject: Re: [ukha_d] OT: It can be a new virus?
> On Thursday 26 June 2003 18:25, Dan wrote:
> > Hi Steven,
> >
> > I have NETBIOS port scan from all over the world, not from my
neighbours.
> > And it is vissible that they are a lot lot more than usual port
scans.
> > Sometimes they are more than 10 per minute, from totally
different IP
> > addresses
> >
> > They are reported by ISS BlackIce.
>
> Well there is nothing hitting my firewall on the netbios ports (137,
138,
> 139), but I have a fairly high level of noise on my IDS logs.
>
> Ah, just found
>
> http://isc.incidents.org/analysis.html?id=170
>
> Looks like there are a couple of worms on the loose causing netbios
scans.
If
> you are seeing hits on port 137 first, then 139 if the attacker is
getting
> any response to the 137 hit (probably not if your IDS is
detecting/blocking
> it), then this might be the answer.
>
> Alternatively it could be the suspected new worm on the loose has a
new
trick.
> They identified what was thought to be an early rather bug-ridden copy
last
> week, but the traffic floating through the net backbones appears to
indicate
> there are others out there. One of the tricks is to hide the real IP
address
> of the infected machine by firing out loads of packets with falsified
source
> addresses. One of them will be the real one, but there is no way to
know
> which. If you're curious you could try traceroutes and pings to some
of
the
> source IP's just to see how many actually have real systems behind
them.
It
> does sound like the IP range you are in is being targetted, but its
unlikely
> to be you specifically.
>
>
>
> Steven
>
>
> ** UKHA2004 BE THERE! ** - start planning now.
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
Home |
Main Index |
Thread Index
|