 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Devdas Bhagat wrote: > I am getting UDP packets from port 137 on various machines to port 53 > on my secondary nameserver. Looks like WINS resolution attempts through DNS. > These have been coming continuously since morning (about 9 hrs now), and > currently form half my logfile (rotated on Sunday at 4 am). No such > traces on the primary nameserver, and I use the same rules on both. Any > explanations of what this could be? > An attempted exploit or just a misconfigured File and Print share > (given the originating port)? Probably a Windows PC which has a misconfigured (or missing) WINS entry. Windows will in some cases (depends on configuration) fallback to DNS lookups to resolve host names for WINS. AFAIK, Windows DNS lookups are pretty hairily implemented, so falling back to a secondary name server seems "normal" ;) Have you checked to see if such traffic to your primary nameserver might perhaps be silently blocked, causing the fall-back? I have set up explicit rules to silently ignore lookups of this type, because Windows 137-139 ports tend to cause a lot of "noise" anyway. Mind you, you would still do well to log any normal NetBIOS traffic attempts, as they quite often indicate worm activity. Regards, Camillo -- Camillo Särs <[EMAIL PROTECTED]> http://www.iki.fi/ged/ Security Researcher, F-Secure Corporation http://www.F-Secure.com F-Secure products: Securing the Mobile, Distributed Enterprise
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.