Security Incidents mailing list archives

Re: Can anyone guess at this "scan"??

From: "Los, Ralph" <rlos () ENVESTNET COM>
Date: Thu, 11 Jan 2001 09:37:54 -0600

Thanks all,
        In reply to some of the questions:

        The logging utility here, unfortunately, is a SonicWall Pro.  The
destination network (one of mine) is completely isolated from the one that
is the source - meaning, there should ordinarily be NO traffic from them to
us of this nature.  Also, the machine on the other end has been reported by
them to be a *NIX box...mine is, yes, a firewall hiding a completely MS
network.

        I wish I could get packet dumps for you, but I don't have that
facility, and as I'm relatively new to this type of task, I don't even have
a facility set up to do such a task...learning quickly.

        Maybe this'll help someone track this down...the other end has been
relatively slow in responding, but they swore they would investigate.  I
will post again should I hear any more news from their security team.  In
the meantime, ...is there a tool out there that is known to run from a *NIX
box that would be doing NetBIOS scans like the one seen below in my post?

Thanks everyone...

Ralph M. Los
Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
EnvestNet Advisory Corp.                  (312) 296-9003 (wireless)
rlos () envestnet com


-----Original Message-----
From: Jigal Weinberg [mailto:jigal () cistron nl]
Sent: Thursday, January 11, 2001 6:00 AM
To: Los, Ralph
Cc: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Can anyone guess at this "scan"??


On Wed, 10 Jan 2001, Los, Ralph wrote:


01/09/2001 04:34:36.928 -     UDP packet dropped -
Source:other.net.11.66, 928, WAN -    Destination:My.sub.net.162, 137, LAN
-      -      
01/09/2001 04:41:23.416 -     UDP packet dropped -
Source:other.net.11.66, 642, WAN -    Destination:My.sub.net.162, 137, LAN
-      -      
01/09/2001 04:50:59.592 -     UDP packet dropped -
Source:other.net.11.66, 949, WAN -    Destination:My.sub.net.162, 137, LAN
-      -      
01/09/2001 04:57:10.336 -     UDP packet dropped -
Source:other.net.11.66, 690, WAN -    Destination:My.sub.net.162, 137, LAN
-      -      
01/09/2001 05:05:04.480 -     UDP packet dropped -
Source:other.net.11.66, 872, WAN -    Destination:My.sub.net.162, 137, LAN
-      -


Have you checked the traffic from destination to source ?
Maybe it could be somthing samba.
netbios-ns      137/udp
Maybe something with windows Domain controller stuff.
Periodic annoucing of it's netbios name.


hope it helps


Greets

J . Weinberg



--
Mr. Orange:
        Motherfucker, I don't even know what 10 dollars worth looks like.
        - <Reservoir Dogs>

Current thread:

Can anyone guess at this "scan"?? Los, Ralph (Jan 10)
- Re: Can anyone guess at this "scan"?? Anders Thulin (Jan 11)
- Re: Can anyone guess at this "scan"?? Guido Bolognesi (Jan 11)
- <Possible follow-ups>
- Re: Can anyone guess at this "scan"?? Howard, Aaron (Jan 11)
- Re: Can anyone guess at this "scan"?? Los, Ralph (Jan 11)
- Re: Can anyone guess at this "scan"?? Duquette, John (Jan 11)
- Re: Can anyone guess at this "scan"?? Sarah Cleveland (Jan 11)