Security Incidents mailing list archives
Re: SMB / NetBIOS Connections
From: Bryan Andersen <bryan () visi com>
Date: Wed, 2 Aug 2000 23:33:18 -0500
"Jonathan R. Dundas" wrote:
We see constant connection attempts to port 137 to existing hosts on our subnet, even though the attempts are denied. Packets claiming to be from Private/reserved source addys are a significant portion of them, maybe an average of 1 host a day tries to connect from a private addy. Weird. I've been reading this list for about two months ago on and off, has this topic been discussed before?
Yes port 137 activity has been discussed here before. Also look at CERT's current activity page: http://www.cert.org/current/current_activity.html It links to a couple of articles on netbios activities. As others have mentioned there are two main types of port 137 activities. One is the poorly setup PC doing a net bios name lookup as it's trying to download a web page. The other is a scan of machines looking for open shares. On my micro subnet I see about even activity between the two. Almost all the port 137 accesses that I get that only hit my web server's IP# are in conjunction to web page downloads from the same machine. All the scans that hit all of my IP addresses have no related web server activity. As for what I do with them. I ignore the ones that come in with web page downloads. All the rest I notify the ISP/Company/etc where they come from with a relatively stock letter warning of netbios worms and pointing them to CERT. -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- Re: SMB / NetBIOS Connections Richard Johnson (Aug 02)
- <Possible follow-ups>
- Re: SMB / NetBIOS Connections Bryan Andersen (Aug 03)