Re: increase in smb scans

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Fri, 8 Mar 2002, Nathan W. Labadie wrote:

> Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps 
> of various subnets 5-10 times a day. This started around two weeks ago... 
> they appear to be looking for open \\<netbios-name>\C shares. My guess is 
> that there looking for machines previously infected with Nimda, but I 
> could be wrong. It shows up as "NETBIOS SMB C access" under snort, and 
> "Tree Connect AndX Request" when the tpcdump is viewed with ethereal. 

What has puzzled me is that I get netbios-ns request from all over the 
world on a ADSL link. (Just 1 IP address.) They seem to get in at random 
moments from random machines.

This is not what I normally get from netbios-ns. You can have a peek at 
this traffic on http://hvdkooij.xs4all.nl/fwlog/ and choose for "Overview 
based on: source IP address and destination port" to get a grasp of what I 
mean.

This odd thing started from March 4. Before that I see the occasional 
bursts from badly configure machines doing netbios name lookups for my 
machine instead of using DNS.

To me this does not seem extreemly alarming at the moment but just 
something I have not seen before.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com