Re: [SLUG] DPT=139

From: Jason Copenhaver (jcopenha@typedef.org)
Date: Tue Aug 14 2001 - 07:52:24 EDT


On Mon, 13 Aug 2001, Doug Koobs wrote:

> Hello,
>
> I am getting many entries in /var/log/messages like the following:
>
> Aug 13 18:02:51 dkoobs kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC=00:e0:18:90:62:63:00:01:42:2f:bf:70:08:00 SRC=65.34.51.97
> DST=65.34.56.199 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=43624 DF PROTO=TCP
> SPT=21074 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
>
> The DPT=139 is what interests me. I am just curious as to what is going on.
> I am getting these from multiple IP addresses, some not on the same subnet,
> although most are. I assume that someone is trying to access a Windows
> share? Anyone think RR will take any action if I report it?
>

These are quite common port scans for windows shares.. they happen all the
time on the RR, and I assume the other high speed home networks also. I
doubt RR would do anything..

Jason



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:19:51 EDT