Security Incidents mailing list archives
Re: SMB / NetBIOS Connections
From: Randy Mclean <rmclean () NATDOOR COM>
Date: Fri, 28 Jul 2000 15:01:53 -0500
What was the source port on the connection attempt?? In my experience you will see one of two thing. 1) If both the source and destination port are both 137 then you are most likely getting the connection attempt from one of the netbios worms(I know of at least a dozen of them). Please see http://www.cert.org/incident_notes/IN-2000-02.html for more info. This also could be a workstation that misconfigured 2) If the source port is greater that 1024 then this usually indicates a scan looking for unfiltered Microsoft shares using a products like nmap. While some program can scan with a source port below 1024, most of them require superuser(root) access. Hope this helps. At 04:31 PM 7/27/2000 -0500, you wrote:
We see constant connection attempts to port 137 to existing hosts on our subnet, even though the attempts are denied. Packets claiming to be from Private/reserved source addys are a significant portion of them, maybe an average of 1 host a day tries to connect from a private addy. Weird. I've been reading this list for about two months ago on and off, has this topic been discussed before? Jonathan
-- Randy Mclean Security/Network Administrator rmclean () natdoor com
Current thread:
- SMB / NetBIOS Connections Jonathan R. Dundas (Jul 28)
- <Possible follow-ups>
- Re: SMB / NetBIOS Connections Randy Mclean (Jul 29)