|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Odd UPD scan
From: David Meissner (dmeissner
PUNCHNETWORKS.COM)Date: Wed Mar 15 2000 - 13:25:53 CST
- Next message: Boris Badenov: "Re: TCP port 3218"
- Previous message: Bob: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Rainer Weikusat: "Re: Odd UPD scan"
- Reply: Bill Pennington: "Re: Odd UPD scan"
- Reply: Grzegorz Janoszka: "Re: Odd UPD scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
For several weeks now I've noticed scans of UDP port 137, but the odd thing
is that the source address is spoofed as a private IP address. I don't
understand how this can be a probe, since they'll never see the replies. It
also doesn't seem like a DOS attack since it's a somewhat slow scan and it
doesn't go on for too long.
Sample log:
00:06:26.478367 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
00:06:27.951993 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
00:06:29.460189 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
00:06:32.475204 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
00:06:32.475338 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
port 137 unreachable
00:06:33.979872 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
00:06:33.980001 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
port 137 unreachable
00:06:35.480653 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
00:06:35.480773 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
port 137 unreachable
00:06:38.491738 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
00:06:38.491874 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
port 137 unreachable
00:06:39.986622 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
00:06:39.986745 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
port 137 unreachable
00:06:41.497638 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
00:06:41.497771 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
port 137 unreachable
This activity goes on for about 40 minutes total to a number of other
addresses, then a similar sequence repeats about 10 minutes later but only
lasts a couple of minutes. About two hours later they repeat this again for
a couple more minutes. I've seen the same activity from source addresses
like 10.2.2.1. Maybe they're trying to guess our internal network numbers,
but what would be the point?
Can anyone suggest what might be going on?
Thanks,
David Meissner
Punch Networks
- Next message: Boris Badenov: "Re: TCP port 3218"
- Previous message: Bob: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Rainer Weikusat: "Re: Odd UPD scan"
- Reply: Bill Pennington: "Re: Odd UPD scan"
- Reply: Grzegorz Janoszka: "Re: Odd UPD scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]