Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's up on Port 139?

Published: 2006-08-30
Last Updated: 2006-08-30 22:09:10 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
It seems that we are experiencing a nice upswing on port 139.

port graph

The data for Sources, Targets and Reports shows all three are on the rise.  There could be several possibilities for this.  For starters, Microsoft released a patch for MS06-040 which was already being exploited in the wild (see the august patch status table for more details). There are also two worms that have been given a CME identifier that take advantage of MS06-040.  However, both of these worms were given a CME number on August 14, so they have been around for a while and this upswing just started over the past couple of days.  With that in mind, be sure that you are blocking port 139 and 445 if you can. 

And if by chance you encounter anything interesting such as the malware or packet dump of the exploit, please let us know.
Keywords:
0 comment(s)
Diary Archives