Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMB / NetBIOS Connections

From: Richard Johnson <rdump () RIVER COM>
Date: Tue, 1 Aug 2000 23:28:35 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 15:31 -0600 on 07/27/2000, Jonathan R. Dundas wrote:

We see constant connection attempts to port 137 to existing hosts on our
subnet, even though the attempts are denied.  Packets claiming to be from
Private/reserved source addys are a significant portion of them, maybe an
average of 1 host a day tries to connect from a private addy.  Weird.  I've
been reading this list for about two months ago on and off, has this topic
been discussed before?

Jonathan



Here are some possibilities, and possible explanations:

Your hosts may be soliciting the traffic by connecting outwards for netbios
name resolution on foreign web sites.  Some of the netbios 'scans' we notice
are due to this.

Your hosts may be soliciting the traffic (for some pathological definition of
'solicit') by connecting to web sites or other services (napster, etc.) on
remote machines, which then for some pathological reason attempt to get the
netbios name of their peer, even across a WAN link.

The private net connections are usually coming from alternate interfaces on
Windows boxes.  Those tend to send packets from each of their interfaces to
the same destination (thus doubling up the traffic).  If one of the interfaces
is a PPP dialup to a private net, or perhaps a VPN connection to the same,
you'll see the private source address arriving in tandem with connections from
the actual source address.  Sometimes you'll even see the same
designed-misconfigured box sending from 3 separate IPs.  It's quite sad.

Any more, as Randy Mclean noticed, the majority of the port 137-port 137
connection attempts are scans by open share worms like
bat-chode-firkin-911-whatever.  If you feel adventurous, run nbaudit/nat
against the offensive worm-infected box, or use nmbclient/smbclient from samba
to manually try out the open shares.

Depending on your policy and user community, you might even want to go so far
as to shun the IPs that are generating the bogus netbios traffic.  They're
broken (by my definition), and very likely up to no good anyway.


Richard

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
Comment: www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm

iQA/AwUBOYexX2KSuJuuNAZUEQIdNwCgvA+zUmsGeVixJrHVtkjK1m5JGfMAoLjD
F173uXsS4eCuLEg0e2iHCMGf
=qW9e
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: