Security Incidents mailing list archives
Re: Lots netbios scans (udp 137)
From: ben () ION AS UTEXAS EDU (Ben Laws)
Date: Mon, 1 May 2000 20:20:57 -0500
Russell Fulton wrote:
HI,
Over the last few days I have seen four or five 'short' scans
of udp 137 ports in various parts of our /16 network address space.
These scans seem to start at a address 1 in a random class C and then
probe in an ascending sequence -- sometimes stopping short of the
address 254. Three packets to each address and around 5 - 7 seconds
between addresses, suggests that this is something using standard
netbios calls. Since we block 137 on our DMZ I have not been able to
observe a what happens when a machine responds.
I am wondering if this is a new worm working through open shares, it
certainly looks similiar to the report from Bryce Alexander at
http://www.sans.org/y2k/honeypot_catch.htm.
If it is then it looks as if it is being very sucessful. The scans I
logged came from all over the world.
Howdy Russell, Here I've been observing similar scansm, although over a smaller address space. They always originate from a Windows box (determined by `nmap -sS -O target`), and I've seen them come from all over as well. Best to ensure you don't have any open shares on your Windows systems -- Ben Laws Hobby-Eberly Telescope UT McDonald Observatory
Current thread:
- Re: Lots netbios scans (udp 137) Ben Laws (May 01)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)
- Re: Lots netbios scans (udp 137) Bryan Andersen (May 03)
- odd message showing up logs... Josh Burroughs (May 04)
- Re: odd message showing up logs... Rick Redman (May 06)
- amd exploit(ed)? Paulo Ribeiro (May 07)
- Re: amd exploit(ed)? Mike Murray (May 08)
- Re: amd exploit(ed)? Erich Meier (May 09)
- Re: amd exploit(ed)? Jim Zajkowski (May 09)
- Re: odd message showing up logs... Robert Graham (May 07)
- Port 109 Scans Eric Maiwald (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)