port 139 scans?

Is anyone else seing lots of packets being thrown at port 139?

We're getting 5 or 6 packets a sec, mostly from (and all tcp

we get loads all the time

do you mean its abnormally high or you've only just checked, noticed them
and highlighted it?


Port 139's the netbios port.

Is the source address in NTL's allocation? They're
using those IPs for their broadband always on cable modem customers.

So it's either some idiot script kiddies running port scanners themselves
or unfirewalled fools who've had their Windows boxes hacked.


abnormally high. But then i havn't looked at this for a while, so it may
just be growth in the background scanning rate...

It's coming from multiple sources too.

(goes and plays with cut, sort and uniq)

Oh, fewer sources than i thought:

most seem to be dialin or *dsl

oh well, back to the usual nanog flame wars :wink: