Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Netbios name scans

From: Andy Duncan <andyduncan () MOTIVES CO UK>
Date: Mon, 18 Dec 2000 14:48:13 -0000
Does anyone know what would cause this pattern of Netbios name scans:

Dec 18 12:52:02 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=1869 F=0x0000 T=119 (#21)
Dec 18 12:52:03 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=2125 F=0x0000 T=119 (#21)
Dec 18 12:52:03 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=2381 F=0x0000 T=119 (#21)
Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=56653 F=0x0000 T=119 (#21)
Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=57165 F=0x0000 T=119 (#21)
Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=56909 F=0x0000 T=119 (#21)
Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=35150 F=0x0000 T=119 (#21)
Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=35406 F=0x0000 T=119 (#21)
Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=35662 F=0x0000 T=119 (#21)

This same pattern has occured four times over the last few days.  I'm
guessing this is some automated scanning tool or a vbs worm, but I
haven't seen one that spoofs on 10.x.x.x addresses.

Andy
Previous By Date Next
Previous By Thread Next

Current thread: