nanog mailing list archives
Re: Strange 192.168. UDP/138 Traffic
From: Richard Welty <rwelty () averillpark net>
Date: Thu, 29 Jan 2004 13:51:39 -0500 (EST)
On Thu, 29 Jan 2004 12:24:15 -0600 Darrell Kristof <darrell.kristof () wholefoods com> wrote:
Hi everyone:
I'm having some strange traffic show up on my PIX. Looking at the "show conn" I have many many machines attempting to make outbound UDP/138 connections to 192.168.x.x addresses. We don't have any 192.168.x.x addresses inside the company. This is blocked at our Internet router, so it's not going out, but still would like to know what this is.
138 is NETBIOS (an MS protocol). look for windows clients that have
somehow gotten it in their head that they need to make a NETBIOS
connection to the cited RFC1918 space.
could this be a side effect of one of the current generation of viruses?
richard
--
Richard Welty rwelty () averillpark net
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Current thread:
- Re: MS is vulnerable Michael . Dillon (Jan 29)
- RE: MS is vulnerable Christopher J. Wolff (Jan 29)
- RE: MS is vulnerable Matthew Kaufman (Jan 29)
- <Possible follow-ups>
- RE: MS is vulnerable Michel Py (Jan 29)
- Re: MS is vulnerable Jonathan Nichols (Jan 29)
- RE: MS is vulnerable Vivien M. (Jan 29)
- Strange 192.168. UDP/138 Traffic Darrell Kristof (Jan 29)
- Re: Strange 192.168. UDP/138 Traffic Richard Welty (Jan 29)
- Re: MS is vulnerable Jonathan Nichols (Jan 29)
- Re: MS is vulnerable Jason Lixfeld (Jan 29)
- RE: MS is vulnerable Christopher J. Wolff (Jan 29)
- RE: MS is vulnerable Michel Py (Jan 29)
- RE: MS is vulnerable Gregory Hicks (Jan 29)
- RE: MS is vulnerable Michel Py (Jan 29)
- Re: MS is vulnerable Jonathan Nichols (Jan 29)
- Re: MS is vulnerable Robert Blayzor (Jan 29)
- RE: MS is vulnerable Susan Harris (Jan 29)