|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Weird UDP packets
From: Damian Gerow (damian
ITACTICS.COM)Date: Mon Mar 06 2000 - 14:55:13 CST
- Next message: Russell Fulton: "lots of interest in port 109 (POP2)"
- Previous message: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Pavel Kankovsky: "Re: Weird UDP packets"
- Reply: Pavel Kankovsky: "Re: Weird UDP packets"
- Reply: Derek Becker: "Re: Weird UDP packets"
- Reply: Rich Corbett: "Re: Weird UDP packets"
- Reply: Robert Graham: "Re: Weird UDP packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've been watching my firewall logs, and in the past week something has
cropped up. The firewall (all packets _do_ have a destination of the
firewall) is a filtering, forwarding firewall protecting both Linux and
NT servers. It does not run Samba, only SSH. The weird part of it is
that packets are coming from port 137 and going to port 137, and always
three packets from a different source each time. Can anyone help me
with this one?
Mar 3 04:57:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3411 T=112
Mar 3 04:57:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=3667 T=112
Mar 3 04:57:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
24.161.140.236:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=4179 T=112
Mar 4 00:15:42 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=47942 T=110
Mar 4 00:15:43 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48198 T=110
Mar 4 00:15:45 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.184.120.232:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=48454 T=110
Mar 4 13:40:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28395 T=112
Mar 4 13:40:07 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28651 T=112
Mar 4 13:40:09 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
209.99.67.16:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=28907 T=112
Mar 5 20:51:03 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=51733 T=122
Mar 5 20:51:04 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=59925 T=122
Mar 5 20:51:06 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
150.100.100.11:137 xxx.xxx.xxx.xxx:137 L=78:58 S=0x00 I=790 T=122
- Next message: Russell Fulton: "lots of interest in port 109 (POP2)"
- Previous message: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Pavel Kankovsky: "Re: Weird UDP packets"
- Reply: Pavel Kankovsky: "Re: Weird UDP packets"
- Reply: Derek Becker: "Re: Weird UDP packets"
- Reply: Rich Corbett: "Re: Weird UDP packets"
- Reply: Robert Graham: "Re: Weird UDP packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]