Computer Security - Odd Port 135 Probes?

01-22-2004, 12:06 AM

In the past week or so, I have noted a fair amount of probes against my tcp port 135 (OK, what else is new?). But
there's an intriguing pattern here.

Each address probing me sends only 2 probes / day, probe #2 following probe #1 by almost exactly 10 minutes. Another
two probes sometime the following day, but not exactly 24 hours later.

Anybody else see anything like this? Is this a known worm behaviour?

A sample of my firewall log (my apologies for not being able to get my newsreader to use fixed pitch font properly):

2004/01/21 09:56:27.30 I tcp 172.136.185.87 ac88b957.ipt.aol.com 2324 nnn.nnn.nnn.nnn 135
2004/01/21 10:25:14.07 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135
2004/01/21 10:26:05.59 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135
2004/01/21 10:35:11.36 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135
2004/01/21 10:36:01.34 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135
2004/01/21 10:55:13.24 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135
2004/01/21 11:00:03.48 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135
2004/01/21 11:05:11.21 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135
2004/01/21 11:10:01.14 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135
2004/01/21 11:12:04.68 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135
2004/01/21 11:16:06.26 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135
2004/01/21 11:19:54.70 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135
2004/01/21 11:22:00.36 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135
2004/01/21 11:24:32.52 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135
2004/01/21 11:26:00.29 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135
2004/01/21 11:29:50.23 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135
2004/01/21 11:34:30.15 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135
2004/01/21 11:53:03.53 I tcp 80.50.135.169 vp169.neoplus.adsl.tpnet.pl 3659 nnn.nnn.nnn.nnn 135
2004/01/21 12:21:46.29 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135
2004/01/21 12:27:32.52 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135
2004/01/21 12:31:28.71 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135
2004/01/21 12:31:39.48 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135
2004/01/21 12:37:13.20 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135
2004/01/21 12:37:29.36 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135
2004/01/21 12:41:29.32 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135
2004/01/21 12:47:00.86 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135
2004/01/21 12:47:09.23 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135
2004/01/21 12:56:59.52 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135
2004/01/21 12:59:45.59 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135
2004/01/21 13:09:39.29 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135
2004/01/21 13:21:10.22 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135
2004/01/21 13:26:35.88 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135
2004/01/21 13:31:08.88 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135
2004/01/21 13:36:28.80 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135
2004/01/21 13:54:51.12 I tcp 81.212.45.199 4138 nnn.nnn.nnn.nnn 135

Chuck

01-22-2004, 02:18 AM

Chuck wrote:

> In the past week or so, I have noted a fair amount of probes against my
> tcp port 135 (OK, what else is new?). But there's an intriguing pattern
> here.
>
> Each address probing me sends only 2 probes / day, probe #2 following
> probe #1 by almost exactly 10 minutes. Another two probes sometime the
> following day, but not exactly 24 hours later.
>
> Anybody else see anything like this? Is this a known worm behaviour?
>

I believe it's a worm behavior.
However, IP's from the internet should have NO reason to be connecting on
135-139 and 445 ports -- these are for file sharing between windows
machines, i.e. NetBIOS / Samba (SMB).

--
All power corrupts, but we need electricity.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

01-22-2004, 12:06 AM	#1
	Odd Port 135 Probes? In the past week or so, I have noted a fair amount of probes against my tcp port 135 (OK, what else is new?). But there's an intriguing pattern here. Each address probing me sends only 2 probes / day, probe #2 following probe #1 by almost exactly 10 minutes. Another two probes sometime the following day, but not exactly 24 hours later. Anybody else see anything like this? Is this a known worm behaviour? A sample of my firewall log (my apologies for not being able to get my newsreader to use fixed pitch font properly): 2004/01/21 09:56:27.30 I tcp 172.136.185.87 ac88b957.ipt.aol.com 2324 nnn.nnn.nnn.nnn 135 2004/01/21 10:25:14.07 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135 2004/01/21 10:26:05.59 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135 2004/01/21 10:35:11.36 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135 2004/01/21 10:36:01.34 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135 2004/01/21 10:55:13.24 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135 2004/01/21 11:00:03.48 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135 2004/01/21 11:05:11.21 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135 2004/01/21 11:10:01.14 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135 2004/01/21 11:12:04.68 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135 2004/01/21 11:16:06.26 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135 2004/01/21 11:19:54.70 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135 2004/01/21 11:22:00.36 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135 2004/01/21 11:24:32.52 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135 2004/01/21 11:26:00.29 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135 2004/01/21 11:29:50.23 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135 2004/01/21 11:34:30.15 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135 2004/01/21 11:53:03.53 I tcp 80.50.135.169 vp169.neoplus.adsl.tpnet.pl 3659 nnn.nnn.nnn.nnn 135 2004/01/21 12:21:46.29 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135 2004/01/21 12:27:32.52 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135 2004/01/21 12:31:28.71 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135 2004/01/21 12:31:39.48 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135 2004/01/21 12:37:13.20 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135 2004/01/21 12:37:29.36 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135 2004/01/21 12:41:29.32 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135 2004/01/21 12:47:00.86 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135 2004/01/21 12:47:09.23 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135 2004/01/21 12:56:59.52 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135 2004/01/21 12:59:45.59 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135 2004/01/21 13:09:39.29 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135 2004/01/21 13:21:10.22 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135 2004/01/21 13:26:35.88 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135 2004/01/21 13:31:08.88 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135 2004/01/21 13:36:28.80 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135 2004/01/21 13:54:51.12 I tcp 81.212.45.199 4138 nnn.nnn.nnn.nnn 135 Chuck

01-22-2004, 02:18 AM	#2
NeoSadist Posts: n/a	Re: Odd Port 135 Probes? Chuck wrote: > In the past week or so, I have noted a fair amount of probes against my > tcp port 135 (OK, what else is new?). But there's an intriguing pattern > here. > > Each address probing me sends only 2 probes / day, probe #2 following > probe #1 by almost exactly 10 minutes. Another two probes sometime the > following day, but not exactly 24 hours later. > > Anybody else see anything like this? Is this a known worm behaviour? > I believe it's a worm behavior. However, IP's from the internet should have NO reason to be connecting on 135-139 and 445 ports -- these are for file sharing between windows machines, i.e. NetBIOS / Samba (SMB). -- All power corrupts, but we need electricity.