Security Incidents mailing list archives
Re: Weird UDP packets
From: RichC () LOEHMANNS COM (Rich Corbett)
Date: Tue, 7 Mar 2000 09:06:34 -0500
Damian, 24 & 209 networks are cablemodem networks - optonline.net & @home.com - I believe... Could be some MS script kiddies running some sort of netbios scans. I have a cablemodem at my house and I receive at least 20 probes at day - 10% come from these networks. G'Luck Rich -----Original Message----- From: Damian Gerow [mailto:damian () ITACTICS COM] Sent: Monday, March 06, 2000 3:55 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Weird UDP packets I've been watching my firewall logs, and in the past week something has cropped up. The firewall (all packets _do_ have a destination of the firewall) is a filtering, forwarding firewall protecting both Linux and NT servers. It does not run Samba, only SSH. The weird part of it is that packets are coming from port 137 and going to port 137, and always three packets from a different source each time. Can anyone help me with this one? Mar 3 04:57:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3411 T=112 Mar 3 04:57:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3667 T=112 Mar 3 04:57:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=4179 T=112 Mar 4 00:15:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=47942 T=110 Mar 4 00:15:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48198 T=110 Mar 4 00:15:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48454 T=110 Mar 4 13:40:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28395 T=112 Mar 4 13:40:07 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28651 T=112 Mar 4 13:40:09 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28907 T=112 Mar 5 20:51:03 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=51733 T=122 Mar 5 20:51:04 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=59925 T=122 Mar 5 20:51:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP 150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=790 T=122
Current thread:
- Weird UDP packets Damian Gerow (Mar 06)
- Re: Weird UDP packets Pavel Kankovsky (Mar 08)
- Re: Weird UDP packets Dragos Ruiu (Mar 08)
- Re: Weird UDP packets Robert Graham (Mar 08)
- <Possible follow-ups>
- Re: Weird UDP packets Rich Corbett (Mar 07)
- Re: Weird UDP packets Derek Becker (Mar 08)
- Re: Weird UDP packets Pavel Kankovsky (Mar 08)