Security Incidents mailing list archives

RE: Unusual volume: UDP:137 probes

From: Mark Forsyth <forsythm () optushome com au>
Date: Mon, 30 Sep 2002 23:09:38 +1000



On Monday, September 30, 2002 10:05 PM, Brett Procter 
[SMTP:Brett.Procter () bigpond com] wrote:


  Hmm,

    Internode ADSL (Adelaide Aust)

  15 hits yesterday, 38 so far today (22:04 GMT+10), 1 from local
network yesterday, 5 today.


Yes. I'm starting to see iprimus, rivernet and tpgi as well as internode 
since my last mail.

It also seems that I may have lied when I said that the packets look like 
normal packets. From my experimenting at home it looks to me like normal 
packets have both the source and destination ports being 137 and don't 
normally have the broadcast bit set. In my logs there are none of these 
packets with a source port of 137 and the broadcast bit is always set. Most 
source ports are between 1025 and 1036 with only a small percentage outside 
this range.

It also seems that the _rate_ at which I'm getting the hits is increasing 
too.

Interesting indeed. I wonder what it all means.

Ooroo
Mark Forsyth

<snip>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unusual volume: UDP:137 probes John Sage (Sep 29)
- <Possible follow-ups>
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
  - Re: Unusual volume: UDP:137 probes Emeric Miszti (Sep 30)
  - RE: Unusual volume: UDP:137 probes Brett Procter (Sep 30)
  - RE: Unusual volume: UDP:137 probes fingers (Sep 30)
  - Re: Unusual volume: UDP:137 probes Scott McGee (Sep 30)
  - Re: Unusual volume: UDP:137 probes Scott McGee (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)