Security Incidents mailing list archives

Re: Netbios name scans

From: Adrian Brinton <abrinton () ESURANCE COM>
Date: Mon, 18 Dec 2000 18:48:45 -0800

Yes, its a trojan, vbs worm i think. Each one of those IP's will have a
world-writable share. check out net view \\IP from and windows box and see
whats available... there's usually a file called network.vbs in the root of
c.

-----Original Message-----
From: Andy Duncan [mailto:andyduncan () MOTIVES CO UK]
Sent: Monday, December 18, 2000 6:48 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Netbios name scans


Does anyone know what would cause this pattern of Netbios name scans:

Dec 18 12:52:02 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=1869 F=0x0000 T=119 (#21)
Dec 18 12:52:03 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=2125 F=0x0000 T=119 (#21)
Dec 18 12:52:03 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=2381 F=0x0000 T=119 (#21)
Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=56653 F=0x0000 T=119 (#21)
Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=57165 F=0x0000 T=119 (#21)
Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=56909 F=0x0000 T=119 (#21)
Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=35150 F=0x0000 T=119 (#21)
Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=35406 F=0x0000 T=119 (#21)
Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17
10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=35662 F=0x0000 T=119 (#21)

This same pattern has occured four times over the last few days.  I'm
guessing this is some automated scanning tool or a vbs worm, but I
haven't seen one that spoofs on 10.x.x.x addresses.

Andy

Current thread:

Re: Netbios name scans Adrian Brinton (Dec 18)
- <Possible follow-ups>
- Netbios name scans Andy Duncan (Dec 19)