Dana Hudes wrote:
Yes but in the past few days activity has stepped up tremendously. Where my webserver, which uses Samba to communicate with my local desktop win98 machine (the latter is client, no shares exported) used to get once in a couple months an attempt on port 139 now I have 45 / day.
I also use Concentric. I have seen a huge upsurge in 139 scans, and whenever I connect to the magic port (7597) for curiosity's sake, I get the prompt that shows it's infected. It isn't your imagination. Before someone comments on the fact that these are natural, I will state that I log everything, all the time, and the upswing has been recent, and dramatic. From a natural 2 or 3 an hour, I have seen it surge to
Furthermore, they're overwhelmingly from customers of my upstream -- Concentric. A handful from @home and others. I reported this to Concentric with the log.smb file in the message. No response 3 days later.
I am wondering which address you mailed this to. I am aware that there is at least one person from concentric (or nextlink) that reads this list, so that may help. I've engaged portsentry, specifically looking for those machines that I see that are infected with a variant of the notepad trojan (and thanks to ken lindahl for posting that link to NAI, so that I didn't have to go guessing for which port was the magic one). I will be emailing concentric later this evening, with a list of machines that I have verified as containing the trojan. I usually have good response from them, but haven't really tried an email since they combined with Nextlink. .shrdlu -- Modems connected to LANs are your friend. -kmart