Security Incidents mailing list archives
Re: UDP/137 scans -- new worm?
From: Andrew Simmons <andrews () mis-cds com>
Date: Thu, 15 May 2003 12:09:31 +0100
David Gillett wrote:
The number of machines probing every IP in our range with UDP/137 seems to be up substantially today, to the point where it's practically DoSsing some of our gateway equipment. These are not routine Windows/NetBIOS activity. Although the "Packet was broadcast" flag is set in the NetBIOS header, they are in fact being sent unicast. The source port in my captured samples is always the same for any given source address. The FCS/Checksum is always wrong. It seems to be random, which argues for a tool that doesn't care about setting it rather than that the address/etc has been spoofed. Are other people seeing this? Anyone know what's causing it?
It's a few days since I checked the incidents.org charts ( http://isc.incidents.org/ ) but something unusual seems to be going on - unless the "others" definition includes IRC scanning from the Fizzer virus? They show port 139 (NetBIOS ssn) trending up, but no mention of 137. \a
David Gillett
The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723410. ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper ***Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
Current thread:
- tcp/554 scans Aaron Cheek (May 13)
- Re: tcp/554 scans Maciej Bogucki (May 14)
- RE: tcp/554 scans Manuel Fernandes (May 15)
- UDP/137 scans -- new worm? David Gillett (May 14)
- Re: UDP/137 scans -- new worm? Andrew Simmons (May 15)
- <Possible follow-ups>
- Re: tcp/554 scans Kevin Patz (May 14)
- RE: tcp/554 scans wjnorth (May 16)
- Re: tcp/554 scans Maciej Bogucki (May 14)