New attack against port 135?

• Previous message (by thread): New attack against port 135?
• Next message (by thread): PGP key signing at NANOG 29 in Chicago [REVISED]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, we saw this yesterday and posted to full-disclosure. Here is a sample 
packet.

13:43:38.511675 xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx 0800 62: 
64.7.nn.yy.3512 > 16.181.zz.aa.135: S [tcp sum ok] 3772716186:3772716186(0) 
win 65340 <mss 1452,nop,nop,sackOK> (DF) (ttl 127, id 63248, len 48)
0x0000   4500 0030 f710 4000 7f06 e5d6 4007 975b        E..0.. at .....@..[
0x0010   10b5 36c9 0db8 0087 e0df 149a 0000 0000        ..6.............
0x0020   7002 ff3c 6151 0000 0204 05ac 0101 0402        p..<aQ..........

         ---Mike


At 01:26 PM 10/10/2003, Peter John Hill wrote:

>I am seeing lots of scanning of port 135 on my network. 66 byte long 
>packets. Anyone have a name for this? It is less aggressive than the 
>welchia scans I have seen. Seems to scan at about 3000 or so flows per 5 
>minutes.
>
>Thanks
>Peter Hill
>Network Engineer
>Carnegie Mellon

• Previous message (by thread): New attack against port 135?
• Next message (by thread): PGP key signing at NANOG 29 in Chicago [REVISED]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]