Snort mailing list archives
Is this an attack in the making?
From: Michael Esposito <michael.esposito () juno com>
Date: Sun, 26 Oct 2003 19:50:50 -0500
I've picked up UDP 137 alerts from several of my internal machines attempting to connect to a machine with an external IP address of 66.223.110.226. When I connect to the web server on that IP address, I notice three files: NameLast ModifiedSizeDescription EyeURL.htmlMon Jul 07 15:04:26 EDT 20031430File HiddenApplet.classMon Sep 23 16:47:02 EDT 20022090File HttpMessage.classMon Sep 23 16:47:02 EDT 20023842File 1) What would be causing my machines to attempt to connect to an external udp 137 port? 2) I heard that there was a udp port 137 attack a while back. Can anyone provide me with the specifics on this attack and if a Snort signature rule exists? 3) Are these files on the above-mentioned site malicious? Thanks, Michael
Current thread:
- Is this an attack in the making? Michael Esposito (Oct 26)
- Re: Is this an attack in the making? Matt Kettler (Oct 27)