Security Incidents mailing list archives
Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity
From: bryan () VISI COM (Bryan Andersen)
Date: Tue, 28 Mar 2000 16:06:39 -0600
I too have seen this behavior. I block them at my firewall, but the numbers have dramatically increased for port 137 scans that hit every IP# in my micro net address range. Before Feb I'd see one a month at most. For the week of * I've seen: Feb 27: 3 Mar 5: 5 Mar 12: 8 Mar 19: 4 Mar 26: 3 sofar I have a /30 net routed to me so I see traffic for 4 IP addreesses. IP# *.18 is my DSL router so I don't see messages to it. I know I wasn't on the net last night at that time, and the address wasn't accessing my web server either. These log events from yesterday are typical of what I'd see: Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00 I=63748 F=0x0000 T=112 Mar 27 22:00:27 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00 I=5381 F=0x0000 T=112 Mar 27 22:00:28 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00 I=5637 F=0x0000 T=112 Mar 27 22:00:36 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00 I=58373 F=0x0000 T=112 Mar 27 22:00:37 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00 I=58629 F=0x0000 T=112 Mar 27 22:00:39 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00 I=59141 F=0x0000 T=112 Mar 27 22:00:57 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00 I=4360 F=0x0000 T=112 Mar 27 22:00:58 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00 I=4616 F=0x0000 T=112 Mar 27 22:01:00 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00 I=4872 F=0x0000 T=112 This is a set from two sites very nicely meshed (Are they racing each other?): Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00 I=29440 F=0x0000 T=111 Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00 I=29184 F=0x0000 T=111 Mar 23 18:39:50 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00 I=29696 F=0x0000 T=111 Mar 23 18:39:50 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00 I=29952 F=0x0000 T=111 Mar 23 18:39:51 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00 I=30464 F=0x0000 T=111 Mar 23 18:39:51 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00 I=30720 F=0x0000 T=111 Mar 23 18:39:59 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00 I=32000 F=0x0000 T=113 Mar 23 18:39:59 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00 I=32256 F=0x0000 T=111 Mar 23 18:40:01 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00 I=32512 F=0x0000 T=113 Mar 23 18:40:01 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00 I=32768 F=0x0000 T=111 Mar 23 18:40:02 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00 I=33024 F=0x0000 T=113 Mar 23 18:40:02 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00 I=33280 F=0x0000 T=111 Mar 23 18:40:23 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00 I=38144 F=0x0000 T=111 Mar 23 18:40:23 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00 I=38400 F=0x0000 T=111 Mar 23 18:40:25 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00 I=38656 F=0x0000 T=111 Mar 23 18:40:25 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00 I=38912 F=0x0000 T=111 Mar 23 18:40:26 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00 I=39168 F=0x0000 T=111 Mar 23 18:40:26 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00 I=39424 F=0x0000 T=111 -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- lots of interest in port 109 (POP2) Russell Fulton (Mar 05)
- Re: lots of interest in port 109 (POP2) harikiri (Mar 07)
- Re: lots of interest in port 109 (POP2) Jon Lewis (Mar 08)
- Re: lots of interest in port 109 (POP2) Pavel Kankovsky (Mar 08)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Re: lots of interest in port 109 (POP2) drkn (Mar 14)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Re: lots of interest in port 109 (POP2) Juan M. Courcoul (Mar 08)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: lots of interest in port 109 (POP2) harikiri (Mar 07)