Is this an attack in the making?

[Michael Esposito <michael.esposito () juno com>]

I've picked up UDP 137 alerts from several of my internal machines
attempting to connect to a machine with an external IP address of
66.223.110.226.

When I connect to the web server on that IP address, I notice three
files:

NameLast ModifiedSizeDescription
EyeURL.htmlMon Jul 07 15:04:26 EDT 20031430File
HiddenApplet.classMon Sep 23 16:47:02 EDT 20022090File
HttpMessage.classMon Sep 23 16:47:02 EDT 20023842File



1)  What would be causing my machines to attempt to connect to an
external udp 137 port?

2)  I heard that there was a udp port 137 attack a while back.  Can
anyone provide me with the specifics on this attack and if a Snort
signature rule exists?

3)  Are these files on the above-mentioned site malicious?

Thanks,

Michael