Wednesday, June 29, 2005

Firewall panic...

I was going through a regular check of my PCs log files (iis, av, firewall, rootkitrevealer, etc.) when I noted 142 high-rated blocked intrusions from my firewall log. Aparrently, there has been an abnormally high port 139 activity lately in the internet. I reckon one little bird telling me from IRC a few days after this month's patch tuesday to expect something "interesting" in the next few days as exploits of the released vulnerabilities were already spreading around.

Port 139 is one of the better-known NetBios ports. It is Microsoft's NetBios session port used for Windows File and Printer Sharing. It has been, perennially, one of the most attacked MS ports. For PCs directly connected to the internet, once a folder is shared with the default permissions (everybody: full control) and assuming no NTFS restrictions were defined, it is very likely to be pwn3d in a matter of minutes.

I wonder whether these machines doing port 139 probes are actually zombies which may be a part of a huge botnet carrying out an orchestrated scan of the port in the internet. The last time I ever encountered such a heightened port 139 activity (based on my honeypot's logs) was during the height of the mofei virus infection. Is this a precursor to a more potent variant of the virus, or a totally new, yet to be detected, worm which exploits one of the newly discovered vulnerabilities (my hunch is the SMB vulnerability)?

Brace yourself, there's more to this than meets the (firewall's) eyes.

1 Comments:

Anonymous mortgage company said...

thought-provoking, mootable pv. just my thoughts, well anyways gl & be chipper is what i say

4:43 PM  

Post a Comment

<< Home