RE: Unusual volume: UDP:137 probes

[Mark Forsyth <forsythm () optushome com au>]

On Monday, September 30, 2002 9:02 AM, John Sage 
[SMTP:jsage () finchhaven com] wrote:
> This has received some mention on the UNISOG list and elsewhere, but
> not here.
>
> Some people have been seeing unusually high volumes of UDP:137 probes
> since about 09/27/02 late, or early 09/28/02.

A few people (who log sych things) on the Optus cable network in Australia 
have been seeing it too.
In my case since Sep 20 it's gone ...
Sep 20  2 hits
Sep 21, 22, 23 0 hits
Sep 24 3 hits
Sep 25 0 hits
Sep 26 4 hits
Sep 27 2 hits
Sep 28 156 hits Starting at 02:20 (Aust. EST)
Sep 29 410 hits
Sep 30 406 hits up until 18:24


> Funny facts: almost no duplication of source IP address, unless the
> source IP is very close to your own.

Same here.

> Packet contents seem to be "normal".

Yep. Look normal here too.

> ACID summaries for my dialup into AT&T's Seattle WA POP follow.
>
> One list is sorted by date-time, the other's sorted by source IP --
> the list sorted by source IP suggests that I'm being probed several times
> by IP's in my 12.82.x.x neigborhood, and almost never more than once
> by IP's from other netblocks.

Almost no duplicates here either. An interesting thing is that there are 
almost no addresses in my logs that are in .au land.
It'd be interesting if someone on a well connected network would configure 
up a Win95 box as a honeypot and see what happens. For me to do it would 
probably be a waste of time as Optus blocks most NetBIOS ports. They just 
omitted to block 137 UDP for some reason.

Ooroo
Mark Forsyth

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com