Quoth Sunder:
At first I though these were the usual nmap/strobe attacks, but they were just on port 139... so that got me curious enough to try and connect to these boxes. To my surprise they were full blown windows 9x and 2000
machines in homes where the owner had another machine and shared his/her local drives with the world! Anyone from anywhere on the planet could mount their drives. So I was nice enough to leave a note on their desktop informing them of the consequences of their actions.<< Nowadays that could get you busted for pointing out the emperor's nudity. Windows share sniffing, if your transport hasn't blocked 139, is great adventure. There is/was a Windows Sharesniffer GUI which automated this. The tool would look up netblocks by name via ARIN, ping the range of IPs, then try to connect on 139. If possible, it would run (apparently via a "system" command, "explorer /r,\\12.34.56.78" which opens the Windows share browser (aka Windows file explorer)). About half the shares had passwords, half didn't, many printers too. The occasional social security number could be found. The sharesniffer.com app also had the ability to post and download info about shares on usenet newsgroups. Port 80, port 139, whatever. Ports is ports, unless they're sherry.