Security Incidents mailing list archives
Single packet per IP# port 137 scan
From: bryan () VISI COM (Bryan Andersen)
Date: Thu, 25 May 2000 08:44:13 -0500
This is a heads up on possible new scanner code out there.
This scan came in a couple of days ago. It's a pattern I haven't
see before. Usually when port 137 is scanned I see three packets
per IP#. I also see a bit of a time difference between IP#s.
This scan all came in at once.
trimmed IPCHAINS logs:
May 23 11:35:53 input PROTO=17 src:4815 dst.16:137 L=78 S=0x00 I=61470
F=0x0000 T=51
May 23 11:35:53 input PROTO=17 src:4815 dst.17:137 L=78 S=0x00 I=61471
F=0x0000 T=51
May 23 11:35:53 input PROTO=17 src:4815 dst.19:137 L=78 S=0x00 I=61473
F=0x0000 T=51
tcpdump -x data:
11:35:53.437521 204.94.192.13.4815 > 208.42.22.16.137: udp 50 (ttl 51,
id 61470)
4500 004e f01e 0000 3311 24da cc5e c00d
d02a 1610 12cf 0089 003a 0af9 3039 0010
0001 0000 0000 0000 2043 4b41 4141 4141
4141 4141 4141 4141 4141 4141 4141 4141
4141 4141 4141 4141 4100 0021 0001
11:35:53.448775 204.94.192.13.4815 > 208.42.22.17.137: udp 50 (ttl 51,
id 61471)
4500 004e f01f 0000 3311 24d8 cc5e c00d
d02a 1611 12cf 0089 003a 0af8 3039 0010
0001 0000 0000 0000 2043 4b41 4141 4141
4141 4141 4141 4141 4141 4141 4141 4141
4141 4141 4141 4141 4100 0021 0001
11:35:53.500980 204.94.192.13.4815 > 208.42.22.19.137: udp 50 (ttl 51,
id 61473)
4500 004e f021 0000 3311 24d4 cc5e c00d
d02a 1613 12cf 0089 003a 0af6 3039 0010
0001 0000 0000 0000 2043 4b41 4141 4141
4141 4141 4141 4141 4141 4141 4141 4141
4141 4141 4141 4141 4100 0021 0001
--
| Bryan Andersen | bryan () visi com | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
Current thread:
- IIS4 Logs Daniel K. Boyd (May 24)
- Single packet per IP# port 137 scan Bryan Andersen (May 25)
- incident input re: FBI Laura Taylor (May 25)
- Re: IIS4 Logs M J (May 25)
- <Possible follow-ups>
- Re: IIS4 Logs rain forest puppy (May 25)