Security Incidents mailing list archives

Re: a different, stranger port 137 activity

From: <daniele.muscetta () libero it>
Date: 24 Oct 2002 12:05:21 -0000

In-Reply-To: <DC97518EF1B5E3418A86F59A9A58035D036F9A4A () ANLEXCH CTD ANL GOV>

I have noticed the same packets.
They get in because they are the response to a packet that went OUT.
your internal machine initiates the connection to outside (querying a 
netbios name server ?) and of course it gets a reply back.

i am still indagating myself.
at first i was thinking it was a "real" attack, like if i had a trojan and 
i was attacking the remote.

but it looks more like a tentative to query the remote machine for its 
name. I also posted a message on the snort user group, since it started 
after I have started using ACID to analyze snort's logs.
and it happens all the times with addresses that can't be resolved... as 
if, after giving up with the dns queries, the acid application (running on 
windows) tries to contact the host directly to see if it can resolve its 
name via netbios.

of course a packet goes out, and THAT packet you noticed comes back to the 
internal machine....

but... is that really so ?

let me know as well if you find out more, plz.
I am still researching on it aswell.

might be a false positive, but might also be that we are compromised...

Best Regards,

Daniele

Received: (qmail 30067 invoked from network); 18 Oct 2002 23:58:23 -0000
Received: from outgoing3.securityfocus.com (HELO

outgoing.securityfocus.com) (205.206.231.27)

 by mail.securityfocus.com with SMTP; 18 Oct 2002 23:58:23 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com

[205.206.231.19])

      by outgoing.securityfocus.com (Postfix) with QMQP
      id 6243EA3116; Fri, 18 Oct 2002 16:36:07 -0600 (MDT)
Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidents () securityfocus com>
List-Help: <mailto:incidents-help () securityfocus com>
List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
Delivered-To: mailing list incidents () securityfocus com
Delivered-To: moderator for incidents () securityfocus com
Received: (qmail 28102 invoked from network); 18 Oct 2002 13:58:33 -0000
Message-ID: <DC97518EF1B5E3418A86F59A9A58035D036F9A4A () ANLEXCH CTD ANL GOV>
From: "Wisniewski, Michael" <wiz () anl gov>
To: "'incidents () securityfocus com'" <incidents () securityfocus com>
Subject: a different, stranger port 137 activity
Date: Fri, 18 Oct 2002 09:23:48 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2656.59)
Content-Type: text/plain


      We've been experiencing a lot of strange port 137 traffic from one
of our IP's behind our firewall to somewhere offsite.  I've been trying to
track it down but I have been unsuccessful at it.  Anyways, I've noticed
earlier postings about port 137 traffic and they posted the packets, which
look similar to mine.  But, when I looked at the machine, the machine

didn't

have any of the files associated with that virus/trojan.  I did a tcpdump
and the results are posted below.  Both of the machines are behind the
firewall and port 137 is not open.  Now all this was happening to a web
server / real audio server for awhile now.  When I plugged my laptop in to
do the dump, I got the following information.  The weird part about it is
that it was mostly directed at my laptop as opposed to an IP on their
network.  The times for all the packets are listed below.  The packets,

for

the most part, look about the same.  Here are the times this occurs...

[The IP is 65.209.25.3 number, my laptop is [my laptop ip], and internal

web

server is the internal real audio/web server]

14:43:30 > ip to my laptop
14:43:31 > my laptop to ip
14:43:33 > my laptop to ip
14:43:34 > my laptop to ip
14:45:36 > ip to internal web server
15:00:38 > ip to my laptop
15:02:44 > ip to internal web server


14:43:30.804208 65.209.25.3.137 > [my laptop ip].137:

NBT UDP PACKET(137): OPUNKNOWN; REQUEST; BROADCAST

0x0000  4500 004c 0e51 0000 7011 56ed 41d1 1903        E..L.Q..p.V.A...
0x0010  9289 f805 0089 0089 0038 0a8c 0203 09f9        .........8......
0x0020  0000 6039 0000 0d26 8076 1903 c159 9149        ..`9...&.v...Y.I
0x0030  b0f3 35f0 4141 4141 4100 0021 c159 8de0        ..5.AAAAA..!.Y..
0x0040  aa28 a1e0 c159 9162 a944 6738                  .(...Y.b.Dg8
14:43:31.611945 [my laptop ip].137 > 65.209.25.3.137:

NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

0x0000  4500 004e 0896 0000 8011 4ca6 9289 f805        E..N......L.....
0x0010  41d1 1903 0089 0089 003a 5a15 80b6 0000        A........:Z.....
0x0020  0001 0000 0000 0000 2043 4b41 4141 4141        .........CKAAAAA
0x0030  4141 4141 4141 4141 4141 4141 4141 4141        AAAAAAAAAAAAAAAA
0x0040  4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..
14:43:33.110058 [my laptop ip].137 > 65.209.25.3.137:

NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

0x0000  4500 004e 0897 0000 8011 4ca5 9289 f805        E..N......L.....
0x0010  41d1 1903 0089 0089 003a 5a14 80b7 0000        A........:Z.....
0x0020  0001 0000 0000 0000 2043 4b41 4141 4141        .........CKAAAAA
0x0030  4141 4141 4141 4141 4141 4141 4141 4141        AAAAAAAAAAAAAAAA
0x0040  4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..
14:43:34.612213 [my laptop ip].137 > 65.209.25.3.137:

NBT UDP PACKET(137): QUERY; REQUEST; UNICAST

0x0000  4500 004e 0898 0000 8011 4ca4 9289 f805        E..N......L.....
0x0010  41d1 1903 0089 0089 003a 5a13 80b8 0000        A........:Z.....
0x0020  0001 0000 0000 0000 2043 4b41 4141 4141        .........CKAAAAA
0x0030  4141 4141 4141 4141 4141 4141 4141 4141        AAAAAAAAAAAAAAAA
0x0040  4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..


      Any help would be greatly appreciated!  I just don't quite
understand how this IP is getting through our firewall since there are no
conduits open on port 137.  Thanks in advance!

Mike

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

a different, stranger port 137 activity Wisniewski, Michael (Oct 18)
- Re: a different, stranger port 137 activity H C (Oct 20)
- Hiding IP addresses in trace data John Kristoff (Oct 21)
  - Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
    - Re: Hiding IP addresses in trace data Russell Fulton (Oct 21)
- <Possible follow-ups>
- Re: a different, stranger port 137 activity daniele.muscetta (Oct 24)