Is anyone else seing lots of packets being thrown at port 139? We're getting 5 or 6 packets a sec, mostly from 80.0.0.0/8 (and all tcp syn's). -- Internet Vision Internet Consultancy Tel: 020 7589 4500 60 Albert Court & Web development Fax: 020 7589 4522 Prince Consort Road vision@ivision.co.uk London SW7 2BE http://www.ivision.co.uk/
we get loads all the time do you mean its abnormally high or you've only just checked, noticed them and highlighted it? Steve On Wed, 13 Feb 2002, Jasper Wallace wrote:
Is anyone else seing lots of packets being thrown at port 139?
We're getting 5 or 6 packets a sec, mostly from 80.0.0.0/8 (and all tcp syn's).
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Wed, 13 Feb 2002, Stephen J. Wilcox wrote:
we get loads all the time
do you mean its abnormally high or you've only just checked, noticed them and highlighted it?
abnormally high. But then i havn't looked at this for a while, so it may just be growth in the background scanning rate... It's coming from multiple sources too. (goes and plays with cut, sort and uniq) Oh, fewer sources than i thought: 212.116.205.19 212.181.208.58 213.97.110.30 213.97.115.227 213.97.235.144 213.98.24.92 217.126.251.91 4.33.209.212 62.42.167.65 62.85.0.227 65.31.42.197 80.24.178.207 80.24.193.233 80.24.203.252 80.24.231.188 80.24.46.170 80.24.76.144 80.25.120.4 80.25.129.100 80.25.145.190 80.25.169.47 80.26.114.207 80.26.120.28 80.26.121.70 80.26.126.110 80.26.65.197 80.32.66.77 80.33.110.102 80.34.76.189 80.59.114.64 80.59.116.102 80.59.131.41 80.59.149.170 80.59.166.98 80.59.221.44 80.59.221.52 80.59.239.90 80.59.25.210 80.59.34.155 80.59.59.150 most seem to be dialin or *dsl oh well, back to the usual nanog flame wars ;-) -- Internet Vision Internet Consultancy Tel: 020 7589 4500 60 Albert Court & Web development Fax: 020 7589 4522 Prince Consort Road vision@ivision.co.uk London SW7 2BE http://www.ivision.co.uk/
Port 139's the netbios port. Is the source address in NTL's 80.0.0.0/13 allocation? They're using those IPs for their broadband always on cable modem customers. So it's either some idiot script kiddies running port scanners themselves or unfirewalled fools who've had their Windows boxes hacked. J. x
Is anyone else seing lots of packets being thrown at port 139?
We're getting 5 or 6 packets a sec, mostly from 80.0.0.0/8 (and all tcp syn's).
-- Internet Vision Internet Consultancy Tel: 020 7589 4500 60 Albert Court & Web development Fax: 020 7589 4522 Prince Consort Road vision@ivision.co.uk London SW7 2BE http://www.ivision.co.uk/
participants (3)
-
James Cronin
-
Jasper Wallace
-
Stephen J. Wilcox