The SANS Internet Storm Center is reporting a large increase in port 139 scans. Not much information on the spike yet.
<http://isc.sans.org/diary.php?storyid=1654> On 8/30/06 10:08 AM, "Geo." <[EMAIL PROTECTED]> wrote: > Has anyone seen a writeup on this new NT4 worm that's spreading via port 139 > MS06-040 yet? I'm seeing customers getting hit by it but I haven't seen any > real mention of it anywhere yet. It appears to run two CMD.EXE hidden > windows and sucks up all the cpu in the infected systems trying to spread. > I've also seen one customer who found csrsc.exe on the machine after the > worm hit them. > > I did manage to find out once it exploits a machine it uses ftp.exe to > connect back to the infecting host and transfer something but I've not had > time to really dig into this thing. Hoping someone else has already. Looks > like it's spreading pretty quick > > http://isc.incidents.org/port_details.php?port=139&repax=1&tarax=2&srcax=2&p > ercent=N&days=40 > > > Geo. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
