Security Incidents mailing list archives

RE: Unusual volume: UDP:137 probes

From: "Bamm (Robert) Visscher" <rvisscher () saball com>
Date: 30 Sep 2002 15:45:19 -0500

FYI: 

Over the weekend we noticed a significant increase in scanning for port
137 (UDP). These scans are distributed across the network and each
packet looks the same. I have posted a packet capture and some scan data
below.


Here are the numbers I am seeing for port 137 scans: 
24 Sep -> 0 
25 Sep -> 0 
26 Sep -> 0 
27 Sep -> 137 
28 Sep -> 1744 
29 Sep -> 3152 
30 Sep -> 4029 w/six hours left (GMT) 

Most of src ips belong to ISPs (cable/dsl/dialup providers) all over the
world. This example is from an .edu (basically one big ISP ;) ). Any
insight to whether the acty is malicious (recently released
exploit/scanner/worm/etc) or broken code from our favorite monopoly is
appreciated. The packet appears to be a standard nbname query except the
broadcast bit is set and the src port != 137.

Bammkkkk 

0x0000: 00 A0 8E 40 62 5A 00 30 A3 10 C8 01 08 00 45 00 
...@bZ.0......E.
0x0010: 00 4E 95 BD 00 00 74 11 99 07 80 F8 3B 6F A2 12 
.N....t.....;o.. 
0x0020: B9 60 04 02 00 89 00 3A A3 CB 01 00 00 10 00 01 
.`.....:........ 
0x0030: 00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41  ......
CKAAAAAAA 
0x0040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
AAAAAAAAAAAAAAAA 
0x0050: 41 41 41 41 41 41 41 00 00 21 00 01              AAAAAAA..!.. 

2002-09-30 18:24:01+00 | 128.248.59.111 |     1026 | 162.18.185.255
|      137 |       17 | UDP 
2002-09-30 18:24:01+00 | 128.248.59.111 |     1026 | 162.18.185.253
|      137 |       17 | UDP 
2002-09-30 18:23:59+00 | 128.248.59.111 |     1026 | 162.18.185.245
|      137 |       17 | UDP 
2002-09-30 18:23:59+00 | 128.248.59.111 |     1026 | 162.18.185.243
|      137 |       17 | UDP 
2002-09-30 18:23:59+00 | 128.248.59.111 |     1026 | 162.18.185.240
|      137 |       17 | UDP 
2002-09-30 18:23:58+00 | 128.248.59.111 |     1026 | 162.18.185.237
|      137 |       17 | UDP 
2002-09-30 18:23:58+00 | 128.248.59.111 |     1026 | 162.18.185.236
|      137 |       17 | UDP 
2002-09-30 18:23:58+00 | 128.248.59.111 |     1026 | 162.18.185.234
|      137 |       17 | UDP 
2002-09-30 18:23:57+00 | 128.248.59.111 |     1026 | 162.18.185.232
|      137 |       17 | UDP 
2002-09-30 18:23:57+00 | 128.248.59.111 |     1026 | 162.18.185.227
|      137 |       17 | UDP 
2002-09-30 18:23:56+00 | 128.248.59.111 |     1026 | 162.18.185.225
|      137 |       17 | UDP 
2002-09-30 18:23:56+00 | 128.248.59.111 |     1026 | 162.18.185.223
|      137 |       17 | UDP 
2002-09-30 18:23:56+00 | 128.248.59.111 |     1026 | 162.18.185.221
|      137 |       17 | UDP 
2002-09-30 18:23:56+00 | 128.248.59.111 |     1026 | 162.18.185.220
|      137 |       17 | UDP 
2002-09-30 18:23:55+00 | 128.248.59.111 |     1026 | 162.18.185.218
|      137 |       17 | UDP 
2002-09-30 18:23:55+00 | 128.248.59.111 |     1026 | 162.18.185.215
|      137 |       17 | UDP 
2002-09-30 18:23:55+00 | 128.248.59.111 |     1026 | 162.18.185.213
|      137 |       17 | UDP 
2002-09-30 18:23:54+00 | 128.248.59.111 |     1026 | 162.18.185.211
|      137 |       17 | UDP 
2002-09-30 18:23:53+00 | 128.248.59.111 |     1026 | 162.18.185.206
|      137 |       17 | UDP 
2002-09-30 18:23:53+00 | 128.248.59.111 |     1026 | 162.18.185.203
|      137 |       17 | UDP 
2002-09-30 18:23:53+00 | 128.248.59.111 |     1026 | 162.18.185.202
|      137 |       17 | UDP 
2002-09-30 18:23:53+00 | 128.248.59.111 |     1026 | 162.18.185.200
|      137 |       17 | UDP 
2002-09-30 18:23:52+00 | 128.248.59.111 |     1026 | 162.18.185.199
|      137 |       17 | UDP 
2002-09-30 18:23:52+00 | 128.248.59.111 |     1026 | 162.18.185.198
|      137 |       17 | UDP 
2002-09-30 18:23:52+00 | 128.248.59.111 |     1026 | 162.18.185.195
|      137 |       17 | UDP 
2002-09-30 18:23:51+00 | 128.248.59.111 |     1026 | 162.18.185.192
|      137 |       17 | UDP 
2002-09-30 18:23:51+00 | 128.248.59.111 |     1026 | 162.18.185.189
|      137 |       17 | UDP 
2002-09-30 18:23:51+00 | 128.248.59.111 |     1026 | 162.18.185.188
|      137 |       17 | UDP 
2002-09-30 18:23:50+00 | 128.248.59.111 |     1026 | 162.18.185.181
|      137 |       17 | UDP 
2002-09-30 18:23:50+00 | 128.248.59.111 |     1026 | 162.18.185.180
|      137 |       17 | UDP 
<snip> 



-- 
Bamm (Robert) Visscher
Network Security Engineer
Ball Corp.
http://www.ball.com
rvisscher () saball com

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

RE: Unusual volume: UDP:137 probes Bamm (Robert) Visscher (Sep 30)
- <Possible follow-ups>
- Re: Unusual volume: UDP:137 probes Nick FitzGerald (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- RE: Unusual volume: UDP:137 probes Joseph R. Gruber (Sep 30)
- Re: Unusual volume: UDP:137 probes Hugo van der Kooij (Sep 30)
  - SV: Unusual volume: UDP:137 probes Peter Kruse (Oct 01)
- Re: Unusual volume: UDP:137 probes Christopher Albert (Sep 30)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
  - RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
    - Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
    - Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)

(Thread continues...)