Odd Port 135 Probes?

Discussion in 'Computer Security' started by Chuck, Jan 22, 2004.

  1. Chuck

    Chuck Guest

    In the past week or so, I have noted a fair amount of probes against my tcp port 135 (OK, what else is new?). But
    there's an intriguing pattern here.

    Each address probing me sends only 2 probes / day, probe #2 following probe #1 by almost exactly 10 minutes. Another
    two probes sometime the following day, but not exactly 24 hours later.

    Anybody else see anything like this? Is this a known worm behaviour?

    A sample of my firewall log (my apologies for not being able to get my newsreader to use fixed pitch font properly):

    2004/01/21 09:56:27.30 I tcp 172.136.185.87 ac88b957.ipt.aol.com 2324 nnn.nnn.nnn.nnn 135
    2004/01/21 10:25:14.07 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135
    2004/01/21 10:26:05.59 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135
    2004/01/21 10:35:11.36 I tcp 81.193.44.21 adslsapo-b4-44-21.telepac.pt 1851 nnn.nnn.nnn.nnn 135
    2004/01/21 10:36:01.34 I tcp 209.202.112.247 m112-247.on.tac.net 4696 nnn.nnn.nnn.nnn 135
    2004/01/21 10:55:13.24 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135
    2004/01/21 11:00:03.48 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135
    2004/01/21 11:05:11.21 I tcp 209.204.150.123 d123.nas1.seb.sonic.net 1052 nnn.nnn.nnn.nnn 135
    2004/01/21 11:10:01.14 I tcp 217.2.102.78 pd902664e.dip.t-dialin.net 4494 nnn.nnn.nnn.nnn 135
    2004/01/21 11:12:04.68 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135
    2004/01/21 11:16:06.26 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135
    2004/01/21 11:19:54.70 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135
    2004/01/21 11:22:00.36 I tcp 65.37.49.157 4500 nnn.nnn.nnn.nnn 135
    2004/01/21 11:24:32.52 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135
    2004/01/21 11:26:00.29 I tcp 209.202.94.222 3984 nnn.nnn.nnn.nnn 135
    2004/01/21 11:29:50.23 I tcp 212.129.211.29 asd-slov-531d.adsl.wanadoo.nl 3295 nnn.nnn.nnn.nnn 135
    2004/01/21 11:34:30.15 I tcp 209.195.187.163 2.tree5.xdsl.nauticom.net 3174 nnn.nnn.nnn.nnn 135
    2004/01/21 11:53:03.53 I tcp 80.50.135.169 vp169.neoplus.adsl.tpnet.pl 3659 nnn.nnn.nnn.nnn 135
    2004/01/21 12:21:46.29 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135
    2004/01/21 12:27:32.52 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135
    2004/01/21 12:31:28.71 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135
    2004/01/21 12:31:39.48 I tcp 68.137.32.228 4569 nnn.nnn.nnn.nnn 135
    2004/01/21 12:37:13.20 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135
    2004/01/21 12:37:29.36 I tcp 217.210.109.25 h25n2fls32o1104.telia.com 4574 nnn.nnn.nnn.nnn 135
    2004/01/21 12:41:29.32 I tcp 141.151.95.160 3940 nnn.nnn.nnn.nnn 135
    2004/01/21 12:47:00.86 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135
    2004/01/21 12:47:09.23 I tcp 4.33.44.249 1207 nnn.nnn.nnn.nnn 135
    2004/01/21 12:56:59.52 I tcp 212.179.214.218 bzq-214-218.red.bezeqint.net 4391 nnn.nnn.nnn.nnn 135
    2004/01/21 12:59:45.59 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135
    2004/01/21 13:09:39.29 I tcp 172.169.223.41 1991 nnn.nnn.nnn.nnn 135
    2004/01/21 13:21:10.22 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135
    2004/01/21 13:26:35.88 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135
    2004/01/21 13:31:08.88 I tcp 12.64.84.71 slip-12-64-84-71.mis.prserv.net 4238 nnn.nnn.nnn.nnn 135
    2004/01/21 13:36:28.80 I tcp 209.192.105.145 1907 nnn.nnn.nnn.nnn 135
    2004/01/21 13:54:51.12 I tcp 81.212.45.199 4138 nnn.nnn.nnn.nnn 135
    Chuck, Jan 22, 2004
    #1
    1. Advertising

  2. Chuck

    NeoSadist Guest

    Chuck wrote:

    > In the past week or so, I have noted a fair amount of probes against my
    > tcp port 135 (OK, what else is new?). But there's an intriguing pattern
    > here.
    >
    > Each address probing me sends only 2 probes / day, probe #2 following
    > probe #1 by almost exactly 10 minutes. Another two probes sometime the
    > following day, but not exactly 24 hours later.
    >
    > Anybody else see anything like this? Is this a known worm behaviour?
    >


    I believe it's a worm behavior.
    However, IP's from the internet should have NO reason to be connecting on
    135-139 and 445 ports -- these are for file sharing between windows
    machines, i.e. NetBIOS / Samba (SMB).

    --
    All power corrupts, but we need electricity.
    NeoSadist, Jan 22, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dreamer

    port 135

    dreamer, Jul 19, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    643
    david.electrix
    Jul 27, 2003
  2. area 51

    port 135 attack

    area 51, Aug 13, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    838
    paul s
    Aug 14, 2003
  3. Peder

    Block port 135

    Peder, Dec 18, 2003, in forum: Computer Support
    Replies:
    9
    Views:
    7,286
    Edward\(1\)
    Dec 18, 2003
  4. yahoo serious

    probes to port 80

    yahoo serious, Jan 25, 2004, in forum: Computer Security
    Replies:
    4
    Views:
    866
    keydet
    Jan 26, 2004
  5. Steve H.

    Microsoft probes Windows code leak

    Steve H., Feb 13, 2004, in forum: Computer Security
    Replies:
    4
    Views:
    379
Loading...

Share This Page