Firewall Wizards mailing list archives
Re: many attempts to Port 137 (NetBIOS-NameService)
From: "K. Graham" <kgraham () ican net>
Date: Fri, 18 Feb 2000 14:45:16 -0700
It sounds like the new VBS Trojan that is being distributed. NAI has put it in their database as of Feb 3/2000. You can find the information at http://vil.nai.com/vil/vbs98477.asp This trojan uses NetBios to look for open shares on the C: drive. If it finds the open shares then it executes an install program. NAI does not go into what it installs but most Trojan channels on any IRC network may be able to elaborate on what it actually does. Check http://www.nohack.net or http://split.netset.com/miscfix for informatition. Seeing it is a new trojan it may be a few days before their websites have information to post. It is becoming more and more frequent to look for open shares on high speed Internet connections. Unfortunately not all people are aware that small programs can be installed that allow remote control of individual PC's from a central or several central locations. Kim Graham Network Analyst, CCNA IRCop DALnet, WebChat On Wed, 16 Feb 2000, Bill Pennington wrote:
Date: Wed, 16 Feb 2000 17:29:16 -0800 From: Bill Pennington <billp () rocketcash com> To: Joerg Walter <joerg.walter () members debis at> Cc: firewall-wizards () nfr net Subject: Re: many attempts to Port 137 (NetBIOS-NameService) My guess would be that this are harmless packets getting set to you by
IIS servers and other NT based web reporting tools. Normally them come
in groups of 3. IIS and other tools attempt to collect additional info
from you when you access an IIS site. They do this via Netbios. However I am seeing hundreds on UDP/137 attempts from a single IP address in a very short period of time. I can't figure out why someone
would want to do that since I am silently dropping them at the
firewall.
Must be some new toy the script kiddies have these days.
Current thread:
- many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 16)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Philip J. Koenig (Feb 23)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Chuck O'Donnell (Feb 19)
- <Possible follow-ups>
- Re: many attempts to Port 137 (NetBIOS-NameService) Robert Graham (Feb 17)
- Re: Re: many attempts to Port 137 (NetBIOS-NameService) Joerg Walter (Feb 17)
- Re: many attempts to Port 137 (NetBIOS-NameService) K. Graham (Feb 19)
- Re: many attempts to Port 137 (NetBIOS-NameService) Bill Pennington (Feb 17)