Security Incidents mailing list archives
Lots netbios scans (udp 137)
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Mon, 1 May 2000 11:50:18 +1200
HI,
Over the last few days I have seen four or five 'short' scans
of udp 137 ports in various parts of our /16 network address space.
These scans seem to start at a address 1 in a random class C and then
probe in an ascending sequence -- sometimes stopping short of the
address 254. Three packets to each address and around 5 - 7 seconds
between addresses, suggests that this is something using standard
netbios calls. Since we block 137 on our DMZ I have not been able to
observe a what happens when a machine responds.
I am wondering if this is a new worm working through open shares, it
certainly looks similiar to the report from Bryce Alexander at
http://www.sans.org/y2k/honeypot_catch.htm.
If it is then it looks as if it is being very sucessful. The scans I
logged came from all over the world.
Cheers, Russell.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand.
PS. here's the argus logs for the start of one scan,
Times are UTC +120 if anyone cares...
29 Apr 00 00:18:07 udp 209.82.89.212.137 -> 130.216.128.1.137 3 0 174 0 TIM
29 Apr 00 00:18:14 udp 209.82.89.212.137 -> 130.216.128.2.137 3 0 174 0 TIM
29 Apr 00 00:18:22 udp 209.82.89.212.137 -> 130.216.128.3.137 3 0 174 0 TIM
29 Apr 00 00:18:29 udp 209.82.89.212.137 -> 130.216.128.4.137 3 0 174 0 TIM
29 Apr 00 00:18:37 udp 209.82.89.212.137 -> 130.216.128.5.137 3 0 174 0 TIM
29 Apr 00 00:18:44 udp 209.82.89.212.137 -> 130.216.128.6.137 2 0 116 0 TIM
29 Apr 00 00:18:52 udp 209.82.89.212.137 -> 130.216.128.7.137 3 0 174 0 TIM
29 Apr 00 00:19:00 udp 209.82.89.212.137 -> 130.216.128.8.137 3 0 174 0 TIM
29 Apr 00 00:19:07 udp 209.82.89.212.137 -> 130.216.128.9.137 3 0 174 0 TIM
29 Apr 00 00:19:15 udp 209.82.89.212.137 -> 130.216.128.10.137 3 0 174 0 TIM
29 Apr 00 00:19:22 udp 209.82.89.212.137 -> 130.216.128.11.137 3 0 174 0 TIM
29 Apr 00 00:19:30 udp 209.82.89.212.137 -> 130.216.128.12.137 3 0 174 0 TIM
29 Apr 00 00:19:37 udp 209.82.89.212.137 -> 130.216.128.13.137 3 0 174 0 TIM
29 Apr 00 00:19:45 udp 209.82.89.212.137 -> 130.216.128.14.137 3 0 174 0 TIM
29 Apr 00 00:19:53 udp 209.82.89.212.137 -> 130.216.128.15.137 3 0 174 0 TIM
29 Apr 00 00:20:00 udp 209.82.89.212.137 -> 130.216.128.16.137 3 0 174 0 TIM
29 Apr 00 00:20:08 udp 209.82.89.212.137 -> 130.216.128.17.137 3 0 174 0 TIM
29 Apr 00 00:20:15 udp 209.82.89.212.137 -> 130.216.128.18.137 3 0 174 0 TIM
Current thread:
- Odd snmp scans from 10.0.0.0/8 address ???, (continued)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)
- Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
- Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
- Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
- Port 137 scans on the rise Bryan Andersen (Apr 20)
- Re: Port 137 scans on the rise horio shoichi (Apr 22)