Security Incidents mailing list archives

network.exe -- was -- Re: udp traffic to port 137

From: ethanhunt314 () HOTMAIL COM (Walt)
Date: Sat, 20 May 2000 16:19:46 -0500


I have been seeing similar traffic hitting my network. After these patterns
became more and more prevalent, I've started obtaining information about
remote hosts. (/me grabs my gray hat) In my situations, nine of ten
attackers are windows boxes with open/password protected smb file sharing on
their external interface. Upon closer examination, I find the network.log
file in their root directory, and the files network.exe and network.vbs in
their startup folders.

I have seen information on the Network.vbs worm,
(http://security.sdsc.edu/publications/network.vbs.shtml) however, I haven't
seen any information pertaining to network.exe. Has anyone else? This is
especially interesting since there *always* seemed to be an exported share
as "c" with a *very* finite list of matching passwords. The possibilities
for DDoS attack here are staggering.

walt

----- Original Message -----
From: "tobias wigand" <tobi () UNDERSCORE DE>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, May 19, 2000 4:16 AM
Subject: udp traffic to port 137

hello all!

our firewall rejects this kind of traffic dayly along with with some normal
netbios traffic from port 137 to port 137.
i first thought of a misconfiguration of the firewall as all netbios ports
should be filtered. but my packet sniffer showed up that no packets are
leaving our lan.
does anyone know under which circumstances some machine would produce such
traffic?
are these portscans or just normal netbios connection attempts?

fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=57649 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=10546 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=18482 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=19955 F=0x0000 T=107 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=23539 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=26355 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=4611 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=13317 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=29703 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=1273 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=25851 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=37373 F=0x0000 T=108 (#104)

thanks for your help
tobias

Current thread:

udp traffic to port 137 tobias wigand (May 19)
- network.exe -- was -- Re: udp traffic to port 137 Walt (May 20)
- Hmmm... named again. Bugtraq List (May 22)
- Slow scan Jens Hektor (May 22)
  - Re: Slow scan, the rest of the story Jens Hektor (May 24)
- Re: udp traffic to port 137 Robert Saraceno, Jr. (May 22)