Security Incidents mailing list archives
Re: Lots netbios scans (udp 137)
From: woods () WEIRD COM (Greg A. Woods)
Date: Thu, 4 May 2000 14:44:37 -0400
[ On Thursday, May 4, 2000 at 16:24:16 (+0200), Erich Meier wrote: ]
Subject: Re: Lots netbios scans (udp 137) On Wed, May 03, 2000 at 03:31:21AM -0400, Greg A. Woods wrote:The scans I saw last week were always from unrouted networks such as 192.168 and 169.254, but from port 137 and to port 137, and always 78-byte UDP packets. I there any possibility that it's "normal" for a M$-Win box to do this under some circumstances?Yes, it's normal. And it's legal. To quote from Bill Manning's I-D draft-manning-dsua-03.txt:
Oh, no, I know all about that part.... In fact that's one of the reasons why my firewall logged and dropped the packets -- I filter NETBLK-LINKLOCAL along with all the other RFC-1918 addresses and so on (at least one scan was from a 192.168 address). The other reason they were blocked is that I block all traffic to, or from, any of the NETBIOS-* services (137-139). What I'm questioning is whether or not there are any circumstances where it's "normal" for a M$-Win box to *scan* an entire range of addresses by sending at least two, sometimes three or four, and sometimes more, presumably identical 78-byte UDP packets with source & destination port numbers set to 137. Note that so far as I can tell the net and broadcast addresses got the same packets too. I'm guessing for now that this is a possibly malicious scanner looking for broken M$ to crack. What confuses me is the use of private addresses. This, combined with the claim by another poster that a reverse nmap on a machine doing a similar scan from a routed network, is what makes me think there might be some "normal" state where a lost and forgotten M$ box will go searching actively for a friendly neighbourhood server or some such sillyness. So far I haven't captured any of these packets, but I will if I happen so see a scan in progress.... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- odd message showing up logs..., (continued)
- odd message showing up logs... Josh Burroughs (May 04)
- Re: odd message showing up logs... Rick Redman (May 06)
- amd exploit(ed)? Paulo Ribeiro (May 07)
- Re: amd exploit(ed)? Mike Murray (May 08)
- Re: amd exploit(ed)? Erich Meier (May 09)
- Re: amd exploit(ed)? Jim Zajkowski (May 09)
- Re: odd message showing up logs... Robert Graham (May 07)
- odd message showing up logs... Josh Burroughs (May 04)
- Port 109 Scans Eric Maiwald (May 04)
- Re: Port 109 Scans Stone (May 06)
- Re: Lots netbios scans (udp 137) Erich Meier (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 04)
- Oversized packets Paulo Ribeiro (May 04)
- Re: Oversized packets Keith Owens (May 06)