Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Odd Port 135 Probes?

Reply
Thread Tools

Odd Port 135 Probes?

 
 
Chuck
Guest
Posts: n/a
 
      01-22-2004
In the past week or so, I have noted a fair amount of probes against my tcp port 135 (OK, what else is new?). But
there's an intriguing pattern here.

Each address probing me sends only 2 probes / day, probe #2 following probe #1 by almost exactly 10 minutes. Another
two probes sometime the following day, but not exactly 24 hours later.

Anybody else see anything like this? Is this a known worm behaviour?

A sample of my firewall log (my apologies for not being able to get my newsreader to use fixed pitch font properly):

2004/01/21 09:56:27.30 I tcp 172.136.185.87 ac88b957.ipt.aol.com 2324 nnn.nnn.nnn.nnn 135
2004/01/21 10:25:14.07 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135
2004/01/21 10:26:05.59 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135
2004/01/21 10:35:11.36 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135
2004/01/21 10:36:01.34 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135
2004/01/21 10:55:13.24 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135
2004/01/21 11:00:03.48 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135
2004/01/21 11:05:11.21 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135
2004/01/21 11:10:01.14 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135
2004/01/21 11:12:04.68 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135
2004/01/21 11:16:06.26 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135
2004/01/21 11:19:54.70 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135
2004/01/21 11:22:00.36 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135
2004/01/21 11:24:32.52 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135
2004/01/21 11:26:00.29 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135
2004/01/21 11:29:50.23 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135
2004/01/21 11:34:30.15 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135
2004/01/21 11:53:03.53 I tcp 80.50.135.169 vp169.neoplus.adsl.tpnet.pl 3659 nnn.nnn.nnn.nnn 135
2004/01/21 12:21:46.29 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135
2004/01/21 12:27:32.52 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135
2004/01/21 12:31:28.71 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135
2004/01/21 12:31:39.48 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135
2004/01/21 12:37:13.20 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135
2004/01/21 12:37:29.36 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135
2004/01/21 12:41:29.32 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135
2004/01/21 12:47:00.86 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135
2004/01/21 12:47:09.23 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135
2004/01/21 12:56:59.52 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135
2004/01/21 12:59:45.59 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135
2004/01/21 13:09:39.29 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135
2004/01/21 13:21:10.22 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135
2004/01/21 13:26:35.88 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135
2004/01/21 13:31:08.88 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135
2004/01/21 13:36:28.80 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135
2004/01/21 13:54:51.12 I tcp 81.212.45.199 4138 nnn.nnn.nnn.nnn 135
 
Reply With Quote
 
 
 
 
NeoSadist
Guest
Posts: n/a
 
      01-22-2004
Chuck wrote:

> In the past week or so, I have noted a fair amount of probes against my
> tcp port 135 (OK, what else is new?). But there's an intriguing pattern
> here.
>
> Each address probing me sends only 2 probes / day, probe #2 following
> probe #1 by almost exactly 10 minutes. Another two probes sometime the
> following day, but not exactly 24 hours later.
>
> Anybody else see anything like this? Is this a known worm behaviour?
>


I believe it's a worm behavior.
However, IP's from the internet should have NO reason to be connecting on
135-139 and 445 ports -- these are for file sharing between windows
machines, i.e. NetBIOS / Samba (SMB).

--
All power corrupts, but we need electricity.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Closing port 135 and disabling DCOM affect Task Scheduler? updata@noemail.com Computer Support 3 01-05-2008 10:34 AM
Odd behavior with odd code Michael Speer C Programming 33 02-18-2007 07:31 AM
Block port 135 Peder Computer Support 9 12-18-2003 05:51 PM
port 135 attack area 51 Computer Support 2 08-13-2003 11:21 PM
port 135 dreamer Computer Support 5 07-27-2003 11:47 AM



Advertisments