Security Incidents mailing list archives
UDP/137 scans -- new worm?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 14 May 2003 16:19:40 -0700
The number of machines probing every IP in our range with UDP/137 seems to be up substantially today, to the point where it's practically DoSsing some of our gateway equipment. These are not routine Windows/NetBIOS activity. Although the "Packet was broadcast" flag is set in the NetBIOS header, they are in fact being sent unicast. The source port in my captured samples is always the same for any given source address. The FCS/Checksum is always wrong. It seems to be random, which argues for a tool that doesn't care about setting it rather than that the address/etc has been spoofed. Are other people seeing this? Anyone know what's causing it? David Gillett ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- tcp/554 scans Aaron Cheek (May 13)
- Re: tcp/554 scans Maciej Bogucki (May 14)
- RE: tcp/554 scans Manuel Fernandes (May 15)
- UDP/137 scans -- new worm? David Gillett (May 14)
- Re: UDP/137 scans -- new worm? Andrew Simmons (May 15)
- <Possible follow-ups>
- Re: tcp/554 scans Kevin Patz (May 14)
- RE: tcp/554 scans wjnorth (May 16)
- Re: tcp/554 scans Maciej Bogucki (May 14)