Security Incidents mailing list archives
Re: Weird UDP packets
From: DerekB () AMDOCS COM (Derek Becker)
Date: Wed, 8 Mar 2000 08:48:55 -0600
Are you filtering outbound nbt? These may be replies if you're forwarding nbt broadcasts from your interior machines. Derek -----Original Message----- From: Damian Gerow [mailto:damian () ITACTICS COM] Sent: Monday, March 06, 2000 2:55 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Weird UDP packets I've been watching my firewall logs, and in the past week something has cropped up. The firewall (all packets _do_ have a destination of the firewall) is a filtering, forwarding firewall protecting both Linux and NT servers. It does not run Samba, only SSH. The weird part of it is that packets are coming from port 137 and going to port 137, and always three packets from a different source each time. Can anyone help me with this one? Mar 3 04:57:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3411 T=112 Mar 3 04:57:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3667 T=112 Mar 3 04:57:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=4179 T=112 Mar 4 00:15:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=47942 T=110 Mar 4 00:15:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48198 T=110 Mar 4 00:15:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48454 T=110 Mar 4 13:40:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28395 T=112 Mar 4 13:40:07 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28651 T=112 Mar 4 13:40:09 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28907 T=112 Mar 5 20:51:03 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=51733 T=122 Mar 5 20:51:04 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=59925 T=122 Mar 5 20:51:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=790 T=122
Current thread:
- Weird UDP packets Damian Gerow (Mar 06)
- Re: Weird UDP packets Pavel Kankovsky (Mar 08)
- Re: Weird UDP packets Dragos Ruiu (Mar 08)
- Re: Weird UDP packets Robert Graham (Mar 08)
- <Possible follow-ups>
- Re: Weird UDP packets Rich Corbett (Mar 07)
- Re: Weird UDP packets Derek Becker (Mar 08)
- Re: Weird UDP packets Pavel Kankovsky (Mar 08)