Is anyone else seing lots of packets being thrown at port 139?
We're getting 5 or 6 packets a sec, mostly from 80.0.0.0/8 (and all tcp
syn's).
we get loads all the time
do you mean its abnormally high or you've only just checked, noticed them
and highlighted it?
Steve
Port 139's the netbios port.
Is the source address in NTL's 80.0.0.0/13 allocation? They're
using those IPs for their broadband always on cable modem customers.
So it's either some idiot script kiddies running port scanners themselves
or unfirewalled fools who've had their Windows boxes hacked.
J.
x
abnormally high. But then i havn't looked at this for a while, so it may
just be growth in the background scanning rate...
It's coming from multiple sources too.
(goes and plays with cut, sort and uniq)
Oh, fewer sources than i thought:
212.116.205.19
212.181.208.58
213.97.110.30
213.97.115.227
213.97.235.144
213.98.24.92
217.126.251.91
4.33.209.212
62.42.167.65
62.85.0.227
65.31.42.197
80.24.178.207
80.24.193.233
80.24.203.252
80.24.231.188
80.24.46.170
80.24.76.144
80.25.120.4
80.25.129.100
80.25.145.190
80.25.169.47
80.26.114.207
80.26.120.28
80.26.121.70
80.26.126.110
80.26.65.197
80.32.66.77
80.33.110.102
80.34.76.189
80.59.114.64
80.59.116.102
80.59.131.41
80.59.149.170
80.59.166.98
80.59.221.44
80.59.221.52
80.59.239.90
80.59.25.210
80.59.34.155
80.59.59.150
most seem to be dialin or *dsl
oh well, back to the usual nanog flame wars 