Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Can anyone guess at this "scan"??
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Can anyone guess at this "scan"??
  • From: "Howard, Aaron" <[EMAIL PROTECTED]>
  • Date: Thu, 11 Jan 2001 20:56:10 +0100
.
 
udp 137 is netbios name service

We get boatloads of scans on this port.
Generally accepted as script kiddies
looking for Wintel machines with
file/print-sharing on for further
exploitation.

Although, it can often just be mis-
configured Wintel machines trying to
do netbios name resolution.

As far as the timing goes, it looks
like this:

----------- first packet
+6m 46.488s second packet
+9m 36.176s third packet
+6m 10.744s fourth packet
+7m 54.144s fifth packet

I'm not sure I see a pattern other than
even packets come with less delay than
odd packets.  Still, it doesn't seem
programmatic to me.

When you say you spoke to a network OPS
person "over at the company" you mean
from the originator of this traffic?

If so, and if they are cooperative, why
not just get someone there to check the
machine to see what's going on with it?

Further packet logging would help pin
down if there is a real pattern and
actual packet captures with payload
would help identify what the real purpose
of the traffic is.

For more info about port 137 scanning see:

http://www.sans.org/newlook/resources/IDFAQ/port_137.htm

and

http://www.robertgraham.com/pubs/firewall-seen.html#10

-Aaron
==
Aaron Howard, CCNA, CNE, MCSE, RHCE
The Computer Group, Inc.
[EMAIL PROTECTED]
pgp key on public key servers


> -----Original Message-----
> From: rlos [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 10, 2001 6:21 PM
> To: INCIDENTS
> Cc: rlos
> Subject: Can anyone guess at this "scan"??
> Importance: High
>
>
> Hey all,
>
> 	Can someone maybe give me a clue where to dig on
> finding out what
> this type of "scan" is?...whether it's anything known?
>
> 01/09/2001 04:34:36.928 - 	UDP packet dropped -
> Source:other.net.11.66, 928, WAN - 	
> Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 04:41:23.416 - 	UDP packet dropped -
> Source:other.net.11.66, 642, WAN - 	
> Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 04:50:59.592 - 	UDP packet dropped -
> Source:other.net.11.66, 949, WAN - 	
> Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 04:57:10.336 - 	UDP packet dropped -
> Source:other.net.11.66, 690, WAN - 	
> Destination:My.sub.net.162, 137, LAN
> - 	 - 	
> 01/09/2001 05:05:04.480 - 	UDP packet dropped -
> Source:other.net.11.66, 872, WAN - 	
> Destination:My.sub.net.162, 137, LAN
> - 	 - 	
>
>
> 	The scans come at a seemingly timed interval, and after speaking
> with one of the network OPS personnel over at the company, it
> appears to be
> a unconfirmed version of *nix with some sort of mail program
> running on it.
> I've seen this scan pattern before and couldn't trace it
> down, this time I'm
> hoping to be able to pinpoint the cause.
>
> 	Thanks in advance for the forensics support.
>
>
> Ralph M. Los
> Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
> EnvestNet Advisory Corp.                  (312) 296-9003 (wireless)
> [EMAIL PROTECTED]
>
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.