Snort mailing list archives
RE: portscan destination port 137
From: Security Admin <SecurityAdmin () hyprotech com>
Date: Thu, 14 Nov 2002 12:42:22 -0700
I've seen these regularly over the past couple of weeks. Dshield.org is reporting its top attacking IP is scanning port 137. And incidents.org has the following... http://isc.incidents.org/port_details.html?port=137 We now believe that these port 137 scans are due to the 'Bugbear' mass mailing virus and the 'Scrup' worm. Bugbear: http://www.mcafee.com/anti-virus/viruses/bugbear/ Scrup: http://vil.mcafee.com/dispVirus.asp?virus_k=99729 http://isc.incidents.org/analysis.html?id=170 -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Thursday, November 14, 2002 12:11 PM To: Michael; snort-users () sourceforge net Subject: Re: [Snort-users] portscan destination port 137 Since udp 137 is a well-known M$ port this could be normal, but it's worth checking. No one with a source IP that you don't know should be hitting that port anyway (to be frank, no one at all should be hitting that port). So check the target for vulnerability (file and print sharing, shares, non-renamed administrator account....) and see if the source is an attacker. --- Michael <snorter () gmx net> wrote:
Hello !!! I'm using Snort 1.9.0 and I am getting much alerts (portscans) like this: 11/07-05:38:45.031223 UDP src: 210.139.70.184 dst: xxx.yyy.zzz.223 sport: 1026 dport: 137 tgts: 8 ports: 8 event_id: 682 Sometimes there are more than hundred portscans a day. Every time the destination port is 137. Is this a real portscan or something else? Is it possible to ignore portscans to a specific port? Thanx for you help, Michael -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan destination port 137 Michael (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- <Possible follow-ups>
- Re: portscan destination port 137 Eric Joe (Nov 14)
- Re: portscan destination port 137 twig les (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)
- Re: portscan destination port 137 Axel Pettinger (Nov 14)
- RE: portscan destination port 137 Security Admin (Nov 14)