Security Incidents mailing list archives

Re: Lots netbios scans (udp 137)

From: woods () WEIRD COM (Greg A. Woods)
Date: Thu, 4 May 2000 14:44:37 -0400


[ On Thursday, May 4, 2000 at 16:24:16 (+0200), Erich Meier wrote: ]

Subject: Re: Lots netbios scans (udp 137)

On Wed, May 03, 2000 at 03:31:21AM -0400, Greg A. Woods wrote:


The scans I saw last week were always from unrouted networks such as
192.168 and 169.254, but from port 137 and to port 137, and always
78-byte UDP packets.

I there any possibility that it's "normal" for a M$-Win box to do this
under some circumstances?


Yes, it's normal. And it's legal.

To quote from Bill Manning's I-D draft-manning-dsua-03.txt:


Oh, no, I know all about that part....

In fact that's one of the reasons why my firewall logged and dropped the
packets -- I filter NETBLK-LINKLOCAL along with all the other RFC-1918
addresses and so on (at least one scan was from a 192.168 address).  The
other reason they were blocked is that I block all traffic to, or from,
any of the NETBIOS-* services (137-139).

What I'm questioning is whether or not there are any circumstances where
it's "normal" for a M$-Win box to *scan* an entire range of addresses by
sending at least two, sometimes three or four, and sometimes more,
presumably identical 78-byte UDP packets with source & destination port
numbers set to 137.  Note that so far as I can tell the net and
broadcast addresses got the same packets too.

I'm guessing for now that this is a possibly malicious scanner looking
for broken M$ to crack.  What confuses me is the use of private
addresses.  This, combined with the claim by another poster that a
reverse nmap on a machine doing a similar scan from a routed network, is
what makes me think there might be some "normal" state where a lost and
forgotten M$ box will go searching actively for a friendly neighbourhood
server or some such sillyness.

So far I haven't captured any of these packets, but I will if I happen
so see a scan in progress....

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

odd message showing up logs..., (continued)
- - odd message showing up logs... Josh Burroughs (May 04)
    - Re: odd message showing up logs... Rick Redman (May 06)
    - amd exploit(ed)? Paulo Ribeiro (May 07)
    - Re: amd exploit(ed)? Mike Murray (May 08)
    - Re: amd exploit(ed)? Erich Meier (May 09)
    - Re: amd exploit(ed)? Jim Zajkowski (May 09)
    - Re: odd message showing up logs... Robert Graham (May 07)
  - Port 109 Scans Eric Maiwald (May 04)
    - Re: Port 109 Scans Stone (May 06)
  - Re: Lots netbios scans (udp 137) Erich Meier (May 04)
    - Re: Lots netbios scans (udp 137) Greg A. Woods (May 04)
  - Oversized packets Paulo Ribeiro (May 04)
    - Re: Oversized packets Keith Owens (May 06)