NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-03

Subject: Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity
From: Bryan Andersen (bryanVISI.COM)
Date: Tue Mar 28 2000 - 16:06:39 CST

Next message: Jose Nazario: "Re: sgi-dgl scanning"
Previous message: Ed Padin: "Re: 8 hours of pinging"
In reply to: Jeffrey D. Carter: "Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity"
Next in thread: Stephen Friedl: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
Reply: Bryan Andersen: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
Reply: Bill Pennington: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity"
Reply: Christoph Schneeberger: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I too have seen this behavior. I block them at my firewall, but the
numbers have dramatically increased for port 137 scans that hit every
IP# in my micro net address range. Before Feb I'd see one a month at
most.

For the week of * I've seen:
    Feb 27: 3
    Mar 5: 5
    Mar 12: 8
    Mar 19: 4
    Mar 26: 3 sofar

I have a /30 net routed to me so I see traffic for 4 IP addreesses.
IP# *.18 is my DSL router so I don't see messages to it. I know I
wasn't on the net last night at that time, and the address wasn't
accessing my web server either.

These log events from yesterday are typical of what I'd see:

Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=63748 F=0x0000 T=112
Mar 27 22:00:27 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=5381 F=0x0000 T=112
Mar 27 22:00:28 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
I=5637 F=0x0000 T=112
Mar 27 22:00:36 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=58373 F=0x0000 T=112
Mar 27 22:00:37 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=58629 F=0x0000 T=112
Mar 27 22:00:39 input PROTO=17 204.210.104.156:137 *.17:137 L=78 S=0x00
I=59141 F=0x0000 T=112
Mar 27 22:00:57 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4360 F=0x0000 T=112
Mar 27 22:00:58 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4616 F=0x0000 T=112
Mar 27 22:01:00 input PROTO=17 204.210.104.156:137 *.19:137 L=78 S=0x00
I=4872 F=0x0000 T=112

This is a set from two sites very nicely meshed (Are they
racing each other?):

Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=29440 F=0x0000 T=111
Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=29184 F=0x0000 T=111
Mar 23 18:39:50 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=29696 F=0x0000 T=111
Mar 23 18:39:50 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=29952 F=0x0000 T=111
Mar 23 18:39:51 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00
I=30464 F=0x0000 T=111
Mar 23 18:39:51 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00
I=30720 F=0x0000 T=111
Mar 23 18:39:59 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=32000 F=0x0000 T=113
Mar 23 18:39:59 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=32256 F=0x0000 T=111
Mar 23 18:40:01 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=32512 F=0x0000 T=113
Mar 23 18:40:01 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=32768 F=0x0000 T=111
Mar 23 18:40:02 input PROTO=17 200.200.200.1:137 *.17:137 L=78 S=0x00
I=33024 F=0x0000 T=113
Mar 23 18:40:02 input PROTO=17 207.194.22.39:137 *.17:137 L=78 S=0x00
I=33280 F=0x0000 T=111
Mar 23 18:40:23 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=38144 F=0x0000 T=111
Mar 23 18:40:23 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=38400 F=0x0000 T=111
Mar 23 18:40:25 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=38656 F=0x0000 T=111
Mar 23 18:40:25 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=38912 F=0x0000 T=111
Mar 23 18:40:26 input PROTO=17 200.200.200.1:137 *.19:137 L=78 S=0x00
I=39168 F=0x0000 T=111
Mar 23 18:40:26 input PROTO=17 207.194.22.39:137 *.19:137 L=78 S=0x00
I=39424 F=0x0000 T=111

--
|  Bryan Andersen   |   bryanvisi.com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

Next message: Jose Nazario: "Re: sgi-dgl scanning"
Previous message: Ed Padin: "Re: 8 hours of pinging"
In reply to: Jeffrey D. Carter: "Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity"
Next in thread: Stephen Friedl: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
Reply: Bryan Andersen: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
Reply: Bill Pennington: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity"
Reply: Christoph Schneeberger: "Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]