Re: Strange logs

[Camillo Särs <Camillo.Sars () F-SECURE COM>]

Devdas Bhagat wrote:
> I am getting UDP packets from port 137 on various machines to port 53
> on my secondary nameserver.

Looks like WINS resolution attempts through DNS.

> These have been coming continuously since morning (about 9 hrs now), and
> currently form half my logfile (rotated on Sunday at 4 am). No such
> traces on the primary nameserver, and I use the same rules on both. Any
> explanations of what this could be?
> An attempted exploit or just a misconfigured File and Print share
> (given the originating port)?

Probably a Windows PC which has a misconfigured (or missing) WINS entry.
Windows will in some cases (depends on configuration) fallback to DNS
lookups to resolve host names for WINS.  AFAIK, Windows DNS lookups are
pretty hairily implemented, so falling back to a secondary name server
seems "normal" ;)  Have you checked to see if such traffic to your primary
nameserver might perhaps be silently blocked, causing the fall-back?

I have set up explicit rules to silently ignore lookups of this type,
because Windows 137-139 ports tend to cause a lot of "noise" anyway.  Mind
you, you would still do well to log any normal NetBIOS traffic attempts, as
they quite often indicate worm activity.

Regards,
Camillo
--
Camillo Särs <Camillo.Sars () F-Secure com>       http://www.iki.fi/ged/
Security Researcher, F-Secure Corporation      http://www.F-Secure.com

   F-Secure products: Securing the Mobile, Distributed Enterprise