Security Incidents mailing list archives
RE: Unusual volume: UDP:137 probes
From: "Brett Procter" <Brett.Procter () bigpond com>
Date: Mon, 30 Sep 2002 22:05:28 +1000
Hmm, Internode ADSL (Adelaide Aust) 15 hits yesterday, 38 so far today (22:04 GMT+10), 1 from local network yesterday, 5 today. Brett Procter Config Systems Pty Ltd
-----Original Message----- From: Mark Forsyth [mailto:forsythm () optushome com au] Sent: Monday, 30 September 2002 6:33 PM To: incidents () securityfocus com Subject: RE: Unusual volume: UDP:137 probes On Monday, September 30, 2002 9:02 AM, John Sage [SMTP:jsage () finchhaven com] wrote:This has received some mention on the UNISOG list and elsewhere, but not here. Some people have been seeing unusually high volumes of UDP:137
probes
since about 09/27/02 late, or early 09/28/02.A few people (who log sych things) on the Optus cable network in
Australia
have been seeing it too. In my case since Sep 20 it's gone ... Sep 20 2 hits Sep 21, 22, 23 0 hits Sep 24 3 hits Sep 25 0 hits Sep 26 4 hits Sep 27 2 hits Sep 28 156 hits Starting at 02:20 (Aust. EST) Sep 29 410 hits Sep 30 406 hits up until 18:24Funny facts: almost no duplication of source IP address, unless the source IP is very close to your own.Same here.Packet contents seem to be "normal".Yep. Look normal here too.ACID summaries for my dialup into AT&T's Seattle WA POP follow. One list is sorted by date-time, the other's sorted by source IP -- the list sorted by source IP suggests that I'm being probed severaltimesby IP's in my 12.82.x.x neigborhood, and almost never more than once by IP's from other netblocks.Almost no duplicates here either. An interesting thing is that there
are
almost no addresses in my logs that are in .au land. It'd be interesting if someone on a well connected network would
configure
up a Win95 box as a honeypot and see what happens. For me to do it
would
probably be a waste of time as Optus blocks most NetBIOS ports. They
just
omitted to block 137 UDP for some reason. Ooroo Mark Forsyth
------------------------------------------------------------------------ --
-- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unusual volume: UDP:137 probes John Sage (Sep 29)
- <Possible follow-ups>
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- Re: Unusual volume: UDP:137 probes Emeric Miszti (Sep 30)
- RE: Unusual volume: UDP:137 probes Brett Procter (Sep 30)
- RE: Unusual volume: UDP:137 probes fingers (Sep 30)
- Re: Unusual volume: UDP:137 probes Scott McGee (Sep 30)
- Re: Unusual volume: UDP:137 probes Scott McGee (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)