Security Incidents mailing list archives
Re: SMB / NetBIOS Connections
From: Richard Johnson <rdump () RIVER COM>
Date: Tue, 1 Aug 2000 23:28:35 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 15:31 -0600 on 07/27/2000, Jonathan R. Dundas wrote:
We see constant connection attempts to port 137 to existing hosts on our subnet, even though the attempts are denied. Packets claiming to be from Private/reserved source addys are a significant portion of them, maybe an average of 1 host a day tries to connect from a private addy. Weird. I've been reading this list for about two months ago on and off, has this topic been discussed before? Jonathan
Here are some possibilities, and possible explanations: Your hosts may be soliciting the traffic by connecting outwards for netbios name resolution on foreign web sites. Some of the netbios 'scans' we notice are due to this. Your hosts may be soliciting the traffic (for some pathological definition of 'solicit') by connecting to web sites or other services (napster, etc.) on remote machines, which then for some pathological reason attempt to get the netbios name of their peer, even across a WAN link. The private net connections are usually coming from alternate interfaces on Windows boxes. Those tend to send packets from each of their interfaces to the same destination (thus doubling up the traffic). If one of the interfaces is a PPP dialup to a private net, or perhaps a VPN connection to the same, you'll see the private source address arriving in tandem with connections from the actual source address. Sometimes you'll even see the same designed-misconfigured box sending from 3 separate IPs. It's quite sad. Any more, as Randy Mclean noticed, the majority of the port 137-port 137 connection attempts are scans by open share worms like bat-chode-firkin-911-whatever. If you feel adventurous, run nbaudit/nat against the offensive worm-infected box, or use nmbclient/smbclient from samba to manually try out the open shares. Depending on your policy and user community, you might even want to go so far as to shun the IPs that are generating the bogus netbios traffic. They're broken (by my definition), and very likely up to no good anyway. Richard -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 Comment: www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm iQA/AwUBOYexX2KSuJuuNAZUEQIdNwCgvA+zUmsGeVixJrHVtkjK1m5JGfMAoLjD F173uXsS4eCuLEg0e2iHCMGf =qW9e -----END PGP SIGNATURE-----
Current thread:
- Re: SMB / NetBIOS Connections Richard Johnson (Aug 02)
- <Possible follow-ups>
- Re: SMB / NetBIOS Connections Bryan Andersen (Aug 03)