Re: SMB / NetBIOS Connections

[Randy Mclean <rmclean () NATDOOR COM>]

What was the source port on the connection attempt?? In my experience you
will see one of two thing.

1) If both the source and destination port are both 137 then you are most
likely getting the connection attempt from one of the netbios worms(I know
of at least a dozen of them). Please see
http://www.cert.org/incident_notes/IN-2000-02.html for more info. This also
could be a workstation that misconfigured

2) If the source port is greater that 1024 then this usually indicates a
scan looking for unfiltered Microsoft shares using a products like nmap.
While some program can scan with a source port below 1024, most of them
require superuser(root) access.

Hope this helps.




At 04:31 PM 7/27/2000 -0500, you wrote:
> We see constant connection attempts to port 137 to existing hosts on our
> subnet, even though the attempts are denied.  Packets claiming to be from
> Private/reserved source addys are a significant portion of them, maybe an
> average of 1 host a day tries to connect from a private addy.  Weird.  I've
> been reading this list for about two months ago on and off, has this topic
> been discussed before?
>
> Jonathan

--
Randy Mclean
Security/Network Administrator
rmclean () natdoor com