Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity

From: bryan () VISI COM (Bryan Andersen)
Date: Tue, 28 Mar 2000 16:06:39 -0600

I too have seen this behavior.  I block them at my firewall, but the
numbers have dramatically increased for port 137 scans that hit every
IP# in my micro net address range.  Before Feb I'd see one a month at
most.

For the week of * I've seen:
    Feb 27: 3
    Mar  5: 5
    Mar 12: 8
    Mar 19: 4
    Mar 26: 3 sofar

I have a /30 net routed to me so I see traffic for 4 IP addreesses.
IP# *.18 is my DSL router so I don't see messages to it.  I know I
wasn't on the net last night at that time, and the address wasn't
accessing my web server either.

These log events from yesterday are typical of what I'd see:

Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=63748 F=0x0000 T=112
Mar 27 22:00:27 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=5381 F=0x0000 T=112
Mar 27 22:00:28 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=5637 F=0x0000 T=112
Mar 27 22:00:36 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=58373 F=0x0000 T=112
Mar 27 22:00:37 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=58629 F=0x0000 T=112
Mar 27 22:00:39 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=59141 F=0x0000 T=112
Mar 27 22:00:57 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4360 F=0x0000 T=112
Mar 27 22:00:58 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4616 F=0x0000 T=112
Mar 27 22:01:00 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4872 F=0x0000 T=112

This is a set from two sites very nicely meshed (Are they
racing each other?):

Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=29440 F=0x0000 T=111
Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=29184 F=0x0000 T=111
Mar 23 18:39:50 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=29696 F=0x0000 T=111
Mar 23 18:39:50 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=29952 F=0x0000 T=111
Mar 23 18:39:51 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=30464 F=0x0000 T=111
Mar 23 18:39:51 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=30720 F=0x0000 T=111
Mar 23 18:39:59 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=32000 F=0x0000 T=113
Mar 23 18:39:59 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=32256 F=0x0000 T=111
Mar 23 18:40:01 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=32512 F=0x0000 T=113
Mar 23 18:40:01 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=32768 F=0x0000 T=111
Mar 23 18:40:02 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=33024 F=0x0000 T=113
Mar 23 18:40:02 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=33280 F=0x0000 T=111
Mar 23 18:40:23 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=38144 F=0x0000 T=111
Mar 23 18:40:23 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=38400 F=0x0000 T=111
Mar 23 18:40:25 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=38656 F=0x0000 T=111
Mar 23 18:40:25 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=38912 F=0x0000 T=111
Mar 23 18:40:26 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=39168 F=0x0000 T=111
Mar 23 18:40:26 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=39424 F=0x0000 T=111

--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |
Previous By Date Next
Previous By Thread Next

Current thread: