Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What's up on Port 139? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up on Port 139?

It seems that we are experiencing a nice upswing on port 139.

port graph

The data for Sources, Targets and Reports shows all three are on the rise.  There could be several possibilities for this.  For starters, Microsoft released a patch for MS06-040 which was already being exploited in the wild (see the august patch status table for more details). There are also two worms that have been given a CME identifier that take advantage of MS06-040.  However, both of these worms were given a CME number on August 14, so they have been around for a while and this upswing just started over the past couple of days.  With that in mind, be sure that you are blocking port 139 and 445 if you can. 

And if by chance you encounter anything interesting such as the malware or packet dump of the exploit, please let us know.


165 Posts
ISC Handler
Aug 30th 2006

Sign Up for Free or Log In to start participating in the conversation!