The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: introduction


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: It can be a new virus?



Hi Steven,

I just filter the TCP port 139 and now everythjing is quit on my subnet.
Checking the router, I have seen that the attacks target all the computers
>from

Best regards,
Dan

----- Original Message -----
From: "Steven Edgar" <yahoogroups@xxxxxxx>
To: <ukha_d@xxxxxxx>
Sent: Thursday, June 26, 2003 9:00 PM
Subject: Re: [ukha_d] OT: It can be a new virus?


> On Thursday 26 June 2003 18:25, Dan wrote:
> > Hi Steven,
> >
> > I have NETBIOS port scan from all over the world, not from my
neighbours.
> > And it is vissible that they are a lot lot more than usual port
scans.
> > Sometimes they are more than 10 per minute, from totally
different IP
> > addresses
> >
> > They are reported by ISS BlackIce.
>
> Well there is nothing hitting my firewall on the netbios ports (137,
138,
> 139), but I have a fairly high level of noise on my IDS logs.
>
> Ah, just found
>
> http://isc.incidents.org/analysis.html?id=170
>
> Looks like there are a couple of worms on the loose causing netbios
scans.
If
> you are seeing hits on port 137 first, then 139 if the attacker is
getting
> any response to the 137 hit (probably not if your IDS is
detecting/blocking
> it), then this might be the answer.
>
> Alternatively it could be the suspected new worm on the loose has a
new
trick.
> They identified what was thought to be an early rather bug-ridden copy
last
> week, but the traffic floating through the net backbones appears to
indicate
> there are others out there. One of the tricks is to hide the real IP
address
> of the infected machine by firing out loads of packets with falsified
source
> addresses. One of them will be the real one, but there is no way to
know
> which. If you're curious you could try traceroutes and pings to some
of
the
> source IP's just to see how many actually have real systems behind
them.
It
> does sound like the IP range you are in is being targetted, but its
unlikely
> to be you specifically.
>
>
>
> Steven
>
>
> ** UKHA2004 BE THERE! ** - start planning now.
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>




Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.