Security Incidents mailing list archives
Re: Connection to port 137
From: Darryl Luff <DLuff () IITSCDM COM AU>
Date: Fri, 24 Nov 2000 12:34:11 +1100
Hi there, We had 600 of these scans in the first two weeks of November. I haven't counted them up lately but they seem to be increasing every day. If you check the source address (net view \\ip.address), I think you'll find a windows machine with a writeable share published to the internet. The ones I've looked at have been infected with one of the automated worms currently doing the rounds. These things are a bit of a worry, just from the amount of traffic they cause. Every infected machine starts automatically scanning random IP's looking for new victims, and infecting the ones it finds, so the traffic increases daily. There was a link to a good writeup on these worms published recently either here or on the firewalls list, but I've lost the URL. Unless you allow these ports in to any of your machines, or have windows machines unprotected outside the firewall, I think the traffic problem is worse than the security problem.
-----Original Message----- From: Marco Bizzarri [SMTP:m.bizzarri () ICUBE IT] Sent: Thursday, November 23, 2000 1:39 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Connection to port 137 Hi all. I'm seeing a lot of udp activity coming from internet ip on port 137 to port 137 of our firewall. Is this normal, or I should start worring? Here's a sample: Nov 22 14:44:20 brontolo kernel: Packet log: ext-if DENY eth2 PROTO=17 y.y.y.y:137 x.x.x.x:137 L=78 S=0x00 I=10984 F=0x0000 T=120 (#21) Any suggestion? Bye Marco -- Marco Bizzarri - Responsabile Tecnico - Icube S.r.l. Sede: Via Ridolfi 15 - 56124 Pisa (PI), Italia E-mail: m.bizzarri () icube it WWW: www.icube.it Tel: (+39) 050 97 02 07 Fax: (+39) 050 31 36 588
Current thread:
- Connection to port 137 Marco Bizzarri (Nov 24)
- <Possible follow-ups>
- Re: Connection to port 137 Darryl Luff (Nov 28)
- Re: Connection to port 137 Lance Spitzner (Nov 29)