Firewall Wizards mailing list archives
Re: many attempts to Port 137 (NetBIOS-NameService)
From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Wed, 23 Feb 2000 01:22:09 -0800
On 18 Feb 00, at 18:34, Chuck O'Donnell boldly uttered:
On Wed, Feb 16, 2000 at 05:29:16PM -0800, Bill Pennington wrote:My guess would be that this are harmless packets getting set to you by IIS servers and other NT based web reporting tools. Normally them come in groups of 3. IIS and other tools attempt to collect additional info from you when you access an IIS site. They do this via Netbios. However I am seeing hundreds on UDP/137 attempts from a single IP address in a very short period of time. I can't figure out why someone would want to do that since I am silently dropping them at the firewall. Must be some new toy the script kiddies have these days. Hope that helps! If anyone has a clue on the UDP/137 flood let me know.I see the random ones all the time from different IPs, which I agree are normal. The destination address is usually a web server on our network. But I do occasionally (couple times a week or so) see a flood of packets to port 137, and running the length of one of our class C's as the destination address. It would seem like a bulk scan for open NetBIOS services. Chuck
There is this stupid entity that sweeps through the whole net looking for open NetBIOS/SMB hosts, among other things. A colleague noticed a bunch of scans sweeping over one of his networks back in June, looked up the IP's, and discovered it's related to MP3 and/or other multimedia trading and was supposed to be a "service" for people trying to find where they could get such files. Here's their reply to the complaint. These turkeys may be your culprit:
Date sent: aaa, xx Jun 1999 xx:45:09 -0700 (PDT) From: Vince Busam <vince () scour net> To: deleted () deleted TLD Copies to: abuse () scour net Subject: Re: Apparent attack from your domain Hello, What you noticed was our crawler connecting to your SMB (Windows) shares. I have taken steps to ensure it does no attempt to connect to you again. Scour.Net is a multimedia search engine that indexes files from three protocols -- HTTP, FTP, and SMB. The connection you saw was one of the SMB crawlers. If you do not have any SMB shares, the crawler will disconnect. If you do have public shares, it will index multimedia files located there. If you have any further questions, please do not hesitate to contact me. Sincerely, Vince Busam ----------------------------------- Vince Busam Chief Network Guru, Scour, Inc. vince () scour net
Nothing like the old "opt out" game:
Remove Host If you wish for your computer to no longer be a part of Scour.Net you may remove yourself from our search. There is a link at the bottom of this paragraph to do this, but first a couple notes. Please only remove yourself if you really do not want to be part of Scour. Once you remove yourself it usually takes a day or two before your site is completely removed from Scour.Net. This is because of the time it takes to rebuild and refresh a database. Additionally, our scanners follow the Internet-standard robots.txt robot exclusion standard. Simply place a robots.txt file in the root directory of a share or web server, and our crawlers will follow the instructions therein. You can put yourself back into the database without contacting us, so go ahead and knock yourself out by clicking on the add/remove links all day!
From the www.scour.net press release page, notice the bigshot:
LOS ANGELES - June 10, 1999 - Michael Ovitz and Richard Wolpert, partner in charge of Internet and technology ventures for The Yucaipa Companies, continue to expand their Internet and entertainment investment portfolio with the news today that they have acquired a controlling interest in Scour.Net, the Web's leading search and digital media guide for audio, video and images on the Net. The announcement further confirms Michael Ovitz and Richard Wolpert's commitment to the Internet and helps expand Scour.Net's rapidly growing broadband entertainment offerings.
Phil
Current thread:
- many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 16)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Philip J. Koenig (Feb 23)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- <Possible follow-ups>
- Re: many attempts to Port 137 (NetBIOS-NameService) Robert Graham (Feb 17)
- Re: Re: many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)