Re: Trace of 139 attack?

From: Windex King (WindexKing@mor-lan-d.com)
Date: 07/26/01


Message-ID: <3B602BB3.66137F78@mor-lan-d.com>
Date: Thu, 26 Jul 2001 10:39:47 -0400
From: Windex King <WindexKing@mor-lan-d.com>
To: focus-ms@securityfocus.com
Subject: Re: Trace of 139 attack?

S S wrote:
>>
>> <snip>
>>
>> C:\I AM Canadian>netstat -an | findstr /r "^[^:]*:139[^0-9][^:]*:.*"
>> TCP 10.10.10.10:139 0.0.0.0:0 LISTENING
>>
>> </snip>

>
> Wouldn't this work just as well?
>
> C:\I AM Canadian>netstat -an | find ":139"

Not really IMHO. The regex I used should only show listening
connections on or remote connections to TCP port 139 on the
server from which the command is run.

Yours will show all connections to/from/listening on ports
139, 139[0-9] as well as 139[0-9][0-9].

Mine is bad enough in that you still have to do the work to
figure out which of the inbound connections is from the attacker
(assuming there is more than one inbound connection established).

The other thing I forgot to mention is that this info will be
logged somewhere. I typically send it over an encrypted channel
to my HIDS Manager for safe keeping.

W K



Relevant Pages

  • Re: New virus?
    ... P2P networks, listen on TCP port 81, and attempt downloading files ... witnessed outbound connections on TCP port 81, ... web servers via HTTP in order to register itself with the server's ... attack targeting two unrelated financial services organizations. ...
    (sci.med.transcription)
  • Re: Dictatorship Rules HWC.Com
    ... > through a "denial of service" attack. ... > their machines. ... > repeatedly open connections and block them out. ... this means that A) you could have a trojan program that was ...
    (rec.toys.cars)
  • Re: Dictatorship Rules HWC.Com
    ... through a "denial of service" attack. ... When you get thousands of machines ... repeatedly open connections and block them out. ... this means that A) you could have a trojan program that was ...
    (rec.toys.cars)
  • Re: SNORT or other IDS
    ... Turned out it was not an attack... ... connections. ... NO_CACHE so the aol cache servers were hamering us with requests... ... We are using foundry loadbalancer... ...
    (microsoft.public.security)
  • Re: server udp port 60556 (Unix Box) attacked by 18.18.18.18
    ... Snooping or a denial of service attack? ... someone who used PortSentry to automatically block connections to ... be able to rate limit connections. ... outboard monitoring box could be practical. ...
    (comp.security.misc)