Security Incidents mailing list archives

Re: Lots netbios scans (udp 137)

From: woods () WEIRD COM (Greg A. Woods)
Date: Wed, 3 May 2000 03:31:21 -0400


[ On Monday, May 1, 2000 at 20:20:57 (-0500), Ben Laws wrote: ]

Subject: Re: Lots netbios scans (udp 137)

Here I've been observing similar scansm, although
over a smaller address space.  They always originate
from a Windows box (determined by `nmap -sS -O
target`), and I've seen them come from all over as
well.  Best to ensure you don't have any open shares
on your Windows systems --


The scans I saw last week were always from unrouted networks such as
192.168 and 169.254, but from port 137 and to port 137, and always
78-byte UDP packets.

I there any possibility that it's "normal" for a M$-Win box to do this
under some circumstances?

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

Re: Lots netbios scans (udp 137) Ben Laws (May 01)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)
  - Re: Lots netbios scans (udp 137) Bryan Andersen (May 03)
  - odd message showing up logs... Josh Burroughs (May 04)
    - Re: odd message showing up logs... Rick Redman (May 06)
    - amd exploit(ed)? Paulo Ribeiro (May 07)
    - Re: amd exploit(ed)? Mike Murray (May 08)
    - Re: amd exploit(ed)? Erich Meier (May 09)
    - Re: amd exploit(ed)? Jim Zajkowski (May 09)
    - Re: odd message showing up logs... Robert Graham (May 07)
  - Port 109 Scans Eric Maiwald (May 04)
    - Re: Port 109 Scans Stone (May 06)

(Thread continues...)