Re: Possible attemt at hacking?

[Dante () WEBCTI COM (Dante Mercurio)]

This is not likely to be an attack since it is occurring over IPX/SPX (Nwlnk
transport). Most likely it is a system with an incorrect frame type on your
network. You might want to run a sniffer program to determine the culprits.
If you know who they are, check the frame type, and the IPX/SPX network
number, and make sure they are correct.
--Dante

-----Original Message-----
From: Geir A. Bjune [mailto:geir () MAIL WSU EDU]
Sent: Wednesday, January 26, 2000 12:51 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Possible attemt at hacking?

I'm not 100% sure what the following is, but I keep getting illegal 
datagrams from certain machines throught NT's Rdr service (smb I assume)

The following message shows up in the message log:

The browser has received an illegal datagram from the remote computer 
<remote> to name <mymachinename> on transport Nwlnk.  The data is the
datagram

Data is as follows:

0000: 00 00 3e 00 04 00 86 00   ..>...?.
0008: 00 00 00 00 46 1f 00 80   ....F..?
0010: 00 00 00 00 d0 00 00 c0   ....Ð..À
0018: 04 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: ff 00 b1 53 4d 42 25 00   ÿ.±SMB%.
0030: 00 00 00 00 00 00 00 00   ........
0038: 00 00 00 00 00 00 00 00   ........
0040: 00 00 00 00 00 00 00 00   ........
0048: 00 00 11 00 00 2f 00 00   ...../..
0050: 00 00 00 00 00 00 00 00   ........
0058: 00 00 00 00 00 00 00 00   ........
0060: 00 2f 00 56 00 03         ./.V..

I would very much like to know if this is someone trying to break down my 
NT 4,0 machine (Windows NT 4.0 workstation, SP 6a)

Any information appreciated.

Thanks,
Geir