Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help w/ Port 137 Traffic

From: Vincent Haverlant <galadril () parinux org>
Date: Tue, 15 Oct 2002 17:23:10 +0200
Le Sun Oct 13 17:22:53 2002, Mikael Olsson a écrit:
Mikael> 
Mikael> (The horse is dead and starting to decompose, but I stubbornly keep 
Mikael> beating it for some reason I have yet to figure out.)
Mikael> 
Mikael> "Paul D. Robertson" wrote:
Mikael> > 
Mikael> > By "sequence" I meant "Do name lookup, then go enumerate shares."
Mikael> > Depending on what the worm is written with, there could be a
Mikael> > "go_check_for_shares()" that does a name lookup then enumerates the
Mikael> > shares- sequence being a series of events, not a method.
Mikael> 
Mikael> Hence, I'd venture a guess that the port 137 probe is just that: a 
Mikael> probe.  If it gets a response, it hits port 139, where the really
Mikael> juicy stuff is.

Which is exactly what it does (you can make the test by leaving open udp
137 but blocking tcp 139 and you will soon log many tcp 139 connection
attemps.

Vincent.
-- 
   .~.          Vincent Haverlant  -- Galadril -- #ICQ: 35695155   
   /V\          http://www.haverlant.org/
  /( )\         Parinux (http://www.parinux.org/)
  ^^-^^         MUD -- FranDUMII (http://perso.enst.fr/~frandum/)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: