Security Incidents mailing list archives
Re: Can anyone guess at this "scan"??
From: "Howard, Aaron" <ahoward () NOERRORS COM>
Date: Thu, 11 Jan 2001 10:31:58 -0500
udp 137 is netbios name service We get boatloads of scans on this port. Generally accepted as script kiddies looking for Wintel machines with file/print-sharing on for further exploitation. Although, it can often just be mis- configured Wintel machines trying to do netbios name resolution. As far as the timing goes, it looks like this: ----------- first packet +6m 46.488s second packet +9m 36.176s third packet +6m 10.744s fourth packet +7m 54.144s fifth packet I'm not sure I see a pattern other than even packets come with less delay than odd packets. Still, it doesn't seem programmatic to me. When you say you spoke to a network OPS person "over at the company" you mean from the originator of this traffic? If so, and if they are cooperative, why not just get someone there to check the machine to see what's going on with it? Further packet logging would help pin down if there is a real pattern and actual packet captures with payload would help identify what the real purpose of the traffic is. For more info about port 137 scanning see: http://www.sans.org/newlook/resources/IDFAQ/port_137.htm and http://www.robertgraham.com/pubs/firewall-seen.html#10 -Aaron == Aaron Howard, CCNA, CNE, MCSE, RHCE The Computer Group, Inc. ahoward () noerrors com pgp key on public key servers
-----Original Message----- From: rlos [mailto:rlos () ENVESTNET COM] Sent: Wednesday, January 10, 2001 6:21 PM To: INCIDENTS Cc: rlos Subject: Can anyone guess at this "scan"?? Importance: High Hey all, Can someone maybe give me a clue where to dig on finding out what this type of "scan" is?...whether it's anything known? 01/09/2001 04:34:36.928 - UDP packet dropped - Source:other.net.11.66, 928, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 04:41:23.416 - UDP packet dropped - Source:other.net.11.66, 642, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 04:50:59.592 - UDP packet dropped - Source:other.net.11.66, 949, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 04:57:10.336 - UDP packet dropped - Source:other.net.11.66, 690, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 05:05:04.480 - UDP packet dropped - Source:other.net.11.66, 872, WAN - Destination:My.sub.net.162, 137, LAN - - The scans come at a seemingly timed interval, and after speaking with one of the network OPS personnel over at the company, it appears to be a unconfirmed version of *nix with some sort of mail program running on it. I've seen this scan pattern before and couldn't trace it down, this time I'm hoping to be able to pinpoint the cause. Thanks in advance for the forensics support. Ralph M. Los Sr. Internet Systems & Security Admin. (312) 827-3945 (direct) EnvestNet Advisory Corp. (312) 296-9003 (wireless) rlos () envestnet com
Current thread:
- Can anyone guess at this "scan"?? Los, Ralph (Jan 10)
- Re: Can anyone guess at this "scan"?? Anders Thulin (Jan 11)
- Re: Can anyone guess at this "scan"?? Guido Bolognesi (Jan 11)
- <Possible follow-ups>
- Re: Can anyone guess at this "scan"?? Howard, Aaron (Jan 11)
- Re: Can anyone guess at this "scan"?? Los, Ralph (Jan 11)
- Re: Can anyone guess at this "scan"?? Duquette, John (Jan 11)
- Re: Can anyone guess at this "scan"?? Sarah Cleveland (Jan 11)