Security Incidents mailing list archives
RE: Unusual volume: UDP:137 probes
From: Mark Forsyth <forsythm () optushome com au>
Date: Mon, 30 Sep 2002 23:09:38 +1000
On Monday, September 30, 2002 10:05 PM, Brett Procter [SMTP:Brett.Procter () bigpond com] wrote:
Hmm, Internode ADSL (Adelaide Aust) 15 hits yesterday, 38 so far today (22:04 GMT+10), 1 from local network yesterday, 5 today.
Yes. I'm starting to see iprimus, rivernet and tpgi as well as internode since my last mail. It also seems that I may have lied when I said that the packets look like normal packets. From my experimenting at home it looks to me like normal packets have both the source and destination ports being 137 and don't normally have the broadcast bit set. In my logs there are none of these packets with a source port of 137 and the broadcast bit is always set. Most source ports are between 1025 and 1036 with only a small percentage outside this range. It also seems that the _rate_ at which I'm getting the hits is increasing too. Interesting indeed. I wonder what it all means. Ooroo Mark Forsyth <snip> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unusual volume: UDP:137 probes John Sage (Sep 29)
- <Possible follow-ups>
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- Re: Unusual volume: UDP:137 probes Emeric Miszti (Sep 30)
- RE: Unusual volume: UDP:137 probes Brett Procter (Sep 30)
- RE: Unusual volume: UDP:137 probes fingers (Sep 30)
- Re: Unusual volume: UDP:137 probes Scott McGee (Sep 30)
- Re: Unusual volume: UDP:137 probes Scott McGee (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)