Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is this an attack in the making?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 27 Oct 2003 13:13:30 -0500
At 07:50 PM 10/26/2003, Michael Esposito wrote:
I've picked up UDP 137 alerts from several of my internal machines attempting to connect to a machine with an external IP address of 66.223.110.226. 

When I connect to the web server on that IP address, I notice three files:


Name

Last Modified

Size

Description
EyeURL.html Mon Jul 07 15:04:26 EDT 2003 1430 File
HiddenApplet.class Mon Sep 23 16:47:02 EDT 2002 2090 File
HttpMessage.class Mon Sep 23 16:47:02 EDT 2002 3842 File
1) What would be causing my machines to attempt to connect to an external udp 137 port?
137 is netbios-name.. many windows machines will attempt to connect to it as an alternative to doing a reverse DNS lookup. Since 66.223.110.226 has no reverse DNS records, you clients are probably trying netbios-name as a fall-back. It's probably hosting some advertizing images, or some other such thing, which is referred to from annother site your users are visiting.
According to whois, the IP is owned by interland.com, a web hosting company, so that IP address is probably a vhost for several websites.
2) I heard that there was a udp port 137 attack a while back. Can anyone provide me with the specifics on this attack and if a Snort signature rule exists?
I've heard of lots of vulnerabilities in the tcp based netbios ports (139, 135), but not of one in netbios-name udp services (137). Even the really old "winnuke" vulnerability was a netbios tcp port issue.
The blaster worm was exploiting tcp/139, which is what you might be thinking of. 



3)  Are these files on the above-mentioned site malicious?
They don't seem to be, but I've not examined them very closely. 


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: