Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Can anyone guess at this "scan"??
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Can anyone guess at this "scan"??
  • From: "Los, Ralph" <[EMAIL PROTECTED]>
  • Date: Thu, 11 Jan 2001 20:38:38 +0100
.
 
Thanks all,
	In reply to some of the questions:

	The logging utility here, unfortunately, is a SonicWall Pro.  The
destination network (one of mine) is completely isolated from the one that
is the source - meaning, there should ordinarily be NO traffic from them to
us of this nature.  Also, the machine on the other end has been reported by
them to be a *NIX box...mine is, yes, a firewall hiding a completely MS
network.

	I wish I could get packet dumps for you, but I don't have that
facility, and as I'm relatively new to this type of task, I don't even have
a facility set up to do such a task...learning quickly.

	Maybe this'll help someone track this down...the other end has been
relatively slow in responding, but they swore they would investigate.  I
will post again should I hear any more news from their security team.  In
the meantime, ...is there a tool out there that is known to run from a *NIX
box that would be doing NetBIOS scans like the one seen below in my post?

Thanks everyone...

Ralph M. Los
Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
EnvestNet Advisory Corp.                  (312) 296-9003 (wireless)
[EMAIL PROTECTED]


-----Original Message-----
From: Jigal Weinberg [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 11, 2001 6:00 AM
To: Los, Ralph
Cc: [EMAIL PROTECTED]
Subject: Re: Can anyone guess at this "scan"??


On Wed, 10 Jan 2001, Los, Ralph wrote:

>
> 01/09/2001 04:34:36.928 - 	UDP packet dropped -
> Source:other.net.11.66, 928, WAN - 	Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 04:41:23.416 - 	UDP packet dropped -
> Source:other.net.11.66, 642, WAN - 	Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 04:50:59.592 - 	UDP packet dropped -
> Source:other.net.11.66, 949, WAN - 	Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 04:57:10.336 - 	UDP packet dropped -
> Source:other.net.11.66, 690, WAN - 	Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 05:05:04.480 - 	UDP packet dropped -
> Source:other.net.11.66, 872, WAN - 	Destination:My.sub.net.162, 137, LAN
> - 	 - 	

Have you checked the traffic from destination to source ?
Maybe it could be somthing samba.
netbios-ns      137/udp
Maybe something with windows Domain controller stuff.
Periodic annoucing of it's netbios name.


hope it helps


Greets

J . Weinberg



--
Mr. Orange:
	Motherfucker, I don't even know what 10 dollars worth looks like.
	- <Reservoir Dogs>
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.