RE: portscan destination port 137

[Security Admin <SecurityAdmin () hyprotech com>]

I've seen these regularly over the past couple of weeks. Dshield.org is
reporting its top attacking IP is scanning port 137. And incidents.org has
the following...
http://isc.incidents.org/port_details.html?port=137

We now believe that these port 137 scans are due to the 'Bugbear'
mass mailing virus and the 'Scrup' worm. 

Bugbear: 
http://www.mcafee.com/anti-virus/viruses/bugbear/

Scrup:
http://vil.mcafee.com/dispVirus.asp?virus_k=99729

http://isc.incidents.org/analysis.html?id=170

-----Original Message-----
From: twig les [mailto:twigles () yahoo com] 
Sent: Thursday, November 14, 2002 12:11 PM
To: Michael; snort-users () sourceforge net
Subject: Re: [Snort-users] portscan destination port 137

Since udp 137 is a well-known M$ port this could be
normal, but it's worth checking.  No one with a source
IP that you don't know should be hitting that port
anyway (to be frank, no one at all should be hitting
that port).  So check the target for vulnerability
(file and print sharing, shares, non-renamed
administrator account....) and see if the source is an
attacker.


--- Michael <snorter () gmx net> wrote:
> Hello !!!
>
> I'm using Snort 1.9.0 and I am getting much alerts
> (portscans) like this:
>
> 11/07-05:38:45.031223  UDP src: 210.139.70.184 dst:
> xxx.yyy.zzz.223 sport:
> 1026 dport: 137 tgts: 8 ports: 8 event_id: 682
>
> Sometimes there are more than hundred portscans a
> day. Every time the
> destination port is 137.
> Is this a real portscan or something else?
> Is it possible to ignore portscans to a specific
> port?
>
> Thanx for you help,
> Michael
>
> -- 
> +++ GMX - Mail, Messaging & more  http://www.gmx.net
> +++
> NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/
> Min. surfen!
-------------------------------------------------------
> This sf.net email is sponsored by: To learn the
> basics of securing 
> your web site with SSL, click here to get a FREE
> TRIAL of a Thawte 
> Server Certificate:
> http://www.gothawte.com/rd524.html
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself

-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users