Security Incidents mailing list archives
Re: Strange logs
From: "Fabio Pietrosanti (naif)" <naif () INET IT>
Date: Tue, 2 Jan 2001 13:30:17 +0100
If you look on www.microsoft.com details about Microsoft resolver... you'll see that when it lookup for a netbios name: first check lmhosts then check broadcast then check wins server then check dns so, when he finally check dns server, it is still using src_port:137 . Pietrosanti Fabio I.NET SpA, High Quality Access to the Internet e-mail: naif () inet it ( Direzione Tecnica, Security Staff ) firewall () inet it PGP Key (DSS) http://naif.itapac.net/naif.asc Home Page URL: http://www.inet.it Sede: Via Darwin, 85 20019 Settimo Milanese (MI) Tel: 02-328631 Fax: 02-328637701 -- Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS On Mon, 1 Jan 2001, Devdas Bhagat wrote:
I am getting UDP packets from port 137 on various machines to port 53 on my secondary nameserver. Jan 1 19:00:02 ns2 kernel: Packet log: input DENY eth0 PROTO=17 remote ip:137 my_ip:53 L=61 S=0x00 I=62548 F=0x0000 T=222 (#21) Jan 1 19:00:03 ns2 kernel: Packet log: input DENY eth0 PROTO=17 remote_ip:137 my_ip:53 L=61 S=0x00 I=56959 F=0x0000 T=127 (#21) Jan 1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip2:137 my_ip:53 L=61 S=0x00 I=62804 F=0x0000 T=222 (#21) Jan 1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17 remote_ip:137 my_ip:53 L=61 S=0x00 I=58239 F=0x0000 T=127 (#21) Jan 1 19:00:05 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip2:137 my_ip:53 L=61 S=0x00 I=63060 F=0x0000 T=222 (#21) Jan 1 19:00:07 ns2 kernel: Packet log: input DENY eth0 PROTO=17 remote_ip:137 my_ip:53 L=61 S=0x00 I=60799 F=0x0000 T=127 (#21) Jan 1 19:00:08 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip3:137 my_ip:53 L=61 S=0x00 I=58702 F=0x0000 T=126 (#21) Jan 1 19:00:09 ns2 kernel: Packet log: input DENY eth0 PROTO=17 remote_ip:137 my_ip:53 L=61 S=0x00 I=61311 F=0x0000 T=127 (#21) Jan 1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip3:137 my_ip:53 L=61 S=0x00 I=62286 F=0x0000 T=126 (#21) Jan 1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17 remote_ip:137 my_ip:53 L=61 S=0x00 I=61823 F=0x0000 T=127 (#21) Jan 1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip2:137 my_ip:53 L=60 S=0x00 I=64340 F=0x0000 T=222 (#21) Jan 1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip3:137 my_ip:53 L=61 S=0x00 I=64334 F=0x0000 T=126 (#21) Jan 1 19:00:13 ns2 kernel: Packet log: input DENY eth0 PROTO=17 rem_ip2:137 my_ip:53 L=60 S=0x00 I=64596 F=0x0000 T=222 (#21) These have been coming continuously since morning (about 9 hrs now), and currently form half my logfile (rotated on Sunday at 4 am). No such traces on the primary nameserver, and I use the same rules on both. Any explanations of what this could be? An attempted exploit or just a misconfigured File and Print share (given the originating port)? Devdas Bhagat -- Age, n.: That period of life in which we compound for the vices that we still cherish by reviling those that we no longer have the enterprise to commit. -- Ambrose Bierce
Current thread:
- Strange logs Devdas Bhagat (Jan 01)
- Re: Strange logs Fabio Pietrosanti (naif) (Jan 02)
- Re: Strange logs Camillo Särs (Jan 02)