Security Incidents mailing list archives
network.exe -- was -- Re: udp traffic to port 137
From: ethanhunt314 () HOTMAIL COM (Walt)
Date: Sat, 20 May 2000 16:19:46 -0500
I have been seeing similar traffic hitting my network. After these patterns became more and more prevalent, I've started obtaining information about remote hosts. (/me grabs my gray hat) In my situations, nine of ten attackers are windows boxes with open/password protected smb file sharing on their external interface. Upon closer examination, I find the network.log file in their root directory, and the files network.exe and network.vbs in their startup folders. I have seen information on the Network.vbs worm, (http://security.sdsc.edu/publications/network.vbs.shtml) however, I haven't seen any information pertaining to network.exe. Has anyone else? This is especially interesting since there *always* seemed to be an exported share as "c" with a *very* finite list of matching passwords. The possibilities for DDoS attack here are staggering. walt ----- Original Message ----- From: "tobias wigand" <tobi () UNDERSCORE DE> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, May 19, 2000 4:16 AM Subject: udp traffic to port 137 hello all! our firewall rejects this kind of traffic dayly along with with some normal netbios traffic from port 137 to port 137. i first thought of a misconfiguration of the firewall as all netbios ports should be filtered. but my packet sniffer showed up that no packets are leaving our lan. does anyone know under which circumstances some machine would produce such traffic? are these portscans or just normal netbios connection attempts? fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=57649 F=0x0000 T=106 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=10546 F=0x0000 T=106 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=18482 F=0x0000 T=106 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=19955 F=0x0000 T=107 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=23539 F=0x0000 T=106 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=26355 F=0x0000 T=106 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=4611 F=0x0000 T=108 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=13317 F=0x0000 T=108 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=29703 F=0x0000 T=108 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=1273 F=0x0000 T=108 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=25851 F=0x0000 T=108 (#104) fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221 xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=37373 F=0x0000 T=108 (#104) thanks for your help tobias
Current thread:
- udp traffic to port 137 tobias wigand (May 19)
- network.exe -- was -- Re: udp traffic to port 137 Walt (May 20)
- Hmmm... named again. Bugtraq List (May 22)
- Slow scan Jens Hektor (May 22)
- Re: Slow scan, the rest of the story Jens Hektor (May 24)
- Re: udp traffic to port 137 Robert Saraceno, Jr. (May 22)