Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scan UDP port 135

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Tue, 28 Jan 2003 22:18:02 -0500
On Tue, Jan 28, 2003 at 12:28:33PM -0300, Gkruel wrote:

I?ve noticed that since 01/24 00:14 GMT -0200, til today, different IP?s
started to scan my whole network for UDP port 135.



They send one packet each 30 seconds, one for each IP of my whole range.



The source IP?s are different from any IP sending the slammer worm for me,
so it doesn?t seem to have any relation.


        It's not a scan.  It's spam.  They've figured out that they
can send "pop-up" alerter messages to open Windows boxen in a single
UDP packet so they're laying back and firing at will.  I heard a report
of one such spammer firing off at 5 Mbps continuous.  Only reason he was
tracked back was that his ISP doesn't allow spoofed packets (HINT TO THE
REST OF YOU) and so the source addresses were legit.  I actually have
some sample packets in hand (some captured in the wild some provided
to me) and they even work when transmitted to broadcast addresses and
"network addresses" (the all zeros address) (SECOND HINT - BLOCK DIRECTED
BROADCASTS AND SUBNET ADDRESSES).  Net (excuse the pun) result is that
if you have vulnerable hosts on a network, they get three for the price
of one as these chumps hit first your network address, then the unicast
address, then the broadcast address.

        Microsoft even has a KB article on it.

        <http://support.microsoft.com/?id=330904>

        They now recommend blocking numerous Netbios/Windows related
ports.  Not enough, yet, considering MS-SQL Spida and now MS-SQL Slammer.
Add 1433 and 1434 to the list they provide in their KB article, I guess. :-(

        Oh, the article predates the trick the spammers figured out
where they only need one packet and can spoof the source.  The article
was when there was three or four packets and some handshaking.  It's
gotten MUCH worse since then.


Here are some of them:
- 208.62.233.151
- 67.34.191.69
- 65.217.17.36, 44, and 45



I?m used to receive tons of UDP 137, on random IP?s, but never to my whole
IP range.


        UDP 137 is mostly OpaServ and related MSTDs (MicroSoft Transmitted
Diseases).  I'm capturing piles of them in my honeypots.  :-(  The various
OpaServ varients lead the pack by and order of magnitude, beating out
even Nimda in netbios share propagation (which is in second place).


Is it some other simple probe directed specifically to me, and i?m
overreacting, or maybe something else? UDP 135 is used by MS Exchange
(portmapper)...


        And supports the Netbios alerter service which is used for
administrative pop-up messages.  Old news.  Just getting worse.


Thanks


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: