Re: Can anyone guess at this "scan"??

["Howard, Aaron" <ahoward () NOERRORS COM>]

udp 137 is netbios name service

We get boatloads of scans on this port.
Generally accepted as script kiddies
looking for Wintel machines with
file/print-sharing on for further
exploitation.

Although, it can often just be mis-
configured Wintel machines trying to
do netbios name resolution.

As far as the timing goes, it looks
like this:

----------- first packet
+6m 46.488s second packet
+9m 36.176s third packet
+6m 10.744s fourth packet
+7m 54.144s fifth packet

I'm not sure I see a pattern other than
even packets come with less delay than
odd packets.  Still, it doesn't seem
programmatic to me.

When you say you spoke to a network OPS
person "over at the company" you mean
from the originator of this traffic?

If so, and if they are cooperative, why
not just get someone there to check the
machine to see what's going on with it?

Further packet logging would help pin
down if there is a real pattern and
actual packet captures with payload
would help identify what the real purpose
of the traffic is.

For more info about port 137 scanning see:

http://www.sans.org/newlook/resources/IDFAQ/port_137.htm

and

http://www.robertgraham.com/pubs/firewall-seen.html#10

-Aaron
==
Aaron Howard, CCNA, CNE, MCSE, RHCE
The Computer Group, Inc.
ahoward () noerrors com
pgp key on public key servers


> -----Original Message-----
> From: rlos [mailto:rlos () ENVESTNET COM]
> Sent: Wednesday, January 10, 2001 6:21 PM
> To: INCIDENTS
> Cc: rlos
> Subject: Can anyone guess at this "scan"??
> Importance: High
>
>
> Hey all,
>
>       Can someone maybe give me a clue where to dig on
> finding out what
> this type of "scan" is?...whether it's anything known?
>
> 01/09/2001 04:34:36.928 -     UDP packet dropped -
> Source:other.net.11.66, 928, WAN -    
> Destination:My.sub.net.162, 137, LAN
> -      -      
> 01/09/2001 04:41:23.416 -     UDP packet dropped -
> Source:other.net.11.66, 642, WAN -    
> Destination:My.sub.net.162, 137, LAN
> -      -      
> 01/09/2001 04:50:59.592 -     UDP packet dropped -
> Source:other.net.11.66, 949, WAN -    
> Destination:My.sub.net.162, 137, LAN
> -      -      
> 01/09/2001 04:57:10.336 -     UDP packet dropped -
> Source:other.net.11.66, 690, WAN -    
> Destination:My.sub.net.162, 137, LAN
> -      -      
> 01/09/2001 05:05:04.480 -     UDP packet dropped -
> Source:other.net.11.66, 872, WAN -    
> Destination:My.sub.net.162, 137, LAN
> -      -      
>
>
>       The scans come at a seemingly timed interval, and after speaking
> with one of the network OPS personnel over at the company, it
> appears to be
> a unconfirmed version of *nix with some sort of mail program
> running on it.
> I've seen this scan pattern before and couldn't trace it
> down, this time I'm
> hoping to be able to pinpoint the cause.
>
>       Thanks in advance for the forensics support.
>
>
> Ralph M. Los
> Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
> EnvestNet Advisory Corp.                  (312) 296-9003 (wireless)
> rlos () envestnet com