[nsp-sec] Report of successful WINS (ms09-039) compromise
Jose Nazario
jose at arbor.net
Mon Aug 17 20:59:09 EDT 2009
On Mon, 17 Aug 2009, Yiming Gong wrote:
> For hosts in 221.214.82.18x netblock, two of them started to hit my
> darknet few days ago, and besides dst port 42, host 221.214.82.186 also
> scanned port 45, all used source port 6000 though.
source port 6000 has been seen in the past with the dasher worm. it's a
tool we've seen a few times since then, it's a tool that has been seen as
'sqlscan.exe'. i suspect it's at play here, too.
basically a TCP SYN scanner with a static source port that someone may be
using to inventory WINS servers for future exploits.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list