Security Incidents mailing list archives

regulary 137 and 524 port scan

From: meteor () KISA OR KR (Cho Yongsang)
Date: Fri, 28 Apr 2000 11:03:52 +0900


Hello.

I've got the following log message on my firewall log server.

The log says that attacker attemps to probe 524/tcp  and 137/udp
 port regulary and simultaneously.

I know that 137/udp  is netbios, and 524/tcp  is NCP,
but is there any relation between these two port?

Or is there any scanning tool which is concerned about 137 and 524 port?

Apr 28 04:01:55 denied udp 204.184.172.120(137) -> *.*.*.1(137), 2
packets
Apr 28 04:02:34 denied tcp 204.184.172.120(4691) -> *.*.*.2(524), 2
packets
Apr 28 04:02:54 denied tcp 204.184.172.120(4695) -> *.*.*.3(524), 2
packets
Apr 28 04:03:25 denied tcp 204.184.172.120(4699) -> *.*.*.3(524), 2
packets
Apr 28 04:04:06 denied tcp 204.184.172.120(4705) -> *.*.*.4(524), 2
packets
Apr 28 04:04:48 denied tcp 204.184.172.120(4711) -> *.*.*.5(524), 2
packets
Apr 28 04:05:29 denied tcp 204.184.172.120(4718) -> *.*.*.6(524), 2
packets
Apr 28 04:06:10 denied tcp 204.184.172.120(4724) -> *.*.*.7(524), 2
packets
Apr 28 04:06:44 denied udp 204.184.172.120(137) -> *.*.*.8(137), 2
packets
Apr 28 04:06:51 denied tcp 204.184.172.120(4730) -> *.*.*.8(524), 2
packets
Apr 28 04:07:26 denied udp 204.184.172.120(137) -> *.*.*.9(137), 2
packets
Apr 28 04:08:04 denied tcp 204.184.172.120(4742) -> *.*.*.10(524), 2
packets
Apr 28 04:08:07 denied udp 204.184.172.120(137) -> *.*.*.10(137), 2
packets
Apr 28 04:08:48 denied udp 204.184.172.120(137) -> *.*.*.11(137), 2
packets
Apr 28 04:08:55 denied tcp 204.184.172.120(4755) -> *.*.*.12(524), 2
packets
Apr 28 04:09:05 denied udp 204.184.172.120(137) -> *.*.*.12(137), 2
packets
Apr 28 04:09:16 denied tcp 204.184.172.120(4756) -> *.*.*.12(524), 2
packets
Apr 28 04:09:36 denied tcp 204.184.172.120(4761) -> *.*.*.13(524), 2
packets
Apr 28 04:09:47 denied udp 204.184.172.120(137) -> *.*.*.13(137), 2
packets
Apr 28 04:10:18 denied tcp 204.184.172.120(4767) -> *.*.*.14(524), 2
packets
Apr 28 04:10:28 denied udp 204.184.172.120(137) -> *.*.*.14(137), 2
packets
....................................................
....................................................

--
Cho YongSang, Security Incident Coordinator of CERTCC-KR/KISA
Korea CERT* Coordination Center/Korea Information Security Agency
[E-mail] meteor () kisa or kr, meteor () certcc or kr
[Fax]+82-2-3488-4129   [Phone]+82-2-3488-4127

Current thread:

Re: Rooted through in.identd on Red Hat 6.0, (continued)
- - - Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
    - !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
    - Re: !!!Linux ELF infector!!! John Flux (Apr 24)
    - BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
    - Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
    - Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
    - Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
    - Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
    - Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
    - Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
    - regulary 137 and 524 port scan Cho Yongsang (Apr 27)
    - huge scans from www.oix.com jose (Apr 28)
    - I am popular today... Dirk Koopman (Apr 28)
    - Re: I am popular today... Ryan Sweat (Apr 28)
    - Analysis: AboveNet attacks Robert Graham (Apr 28)
    - Re: I am popular today... Ville (Apr 29)
    - Lots netbios scans (udp 137) Russell Fulton (Apr 30)
    - High port UDP probe? Damian Gerow (Apr 25)
    - Re: High port UDP probe? Mark Rowe (Apr 26)
    - Lots of scan on port 9520 Erick Perez (Apr 25)
    - possible bind worm? Roelof Temmingh (Apr 25)

(Thread continues...)