OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Howard, Aaron (ahowardNOERRORS.COM)
Date: Thu Jan 11 2001 - 09:31:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    udp 137 is netbios name service

    We get boatloads of scans on this port.
    Generally accepted as script kiddies
    looking for Wintel machines with
    file/print-sharing on for further
    exploitation.

    Although, it can often just be mis-
    configured Wintel machines trying to
    do netbios name resolution.

    As far as the timing goes, it looks
    like this:

    ----------- first packet
    +6m 46.488s second packet
    +9m 36.176s third packet
    +6m 10.744s fourth packet
    +7m 54.144s fifth packet

    I'm not sure I see a pattern other than
    even packets come with less delay than
    odd packets. Still, it doesn't seem
    programmatic to me.

    When you say you spoke to a network OPS
    person "over at the company" you mean
    from the originator of this traffic?

    If so, and if they are cooperative, why
    not just get someone there to check the
    machine to see what's going on with it?

    Further packet logging would help pin
    down if there is a real pattern and
    actual packet captures with payload
    would help identify what the real purpose
    of the traffic is.

    For more info about port 137 scanning see:

    http://www.sans.org/newlook/resources/IDFAQ/port_137.htm

    and

    http://www.robertgraham.com/pubs/firewall-seen.html#10

    -Aaron
    ==
    Aaron Howard, CCNA, CNE, MCSE, RHCE
    The Computer Group, Inc.
    ahowardnoerrors.com
    pgp key on public key servers

    > -----Original Message-----
    > From: rlos [mailto:rlosENVESTNET.COM]
    > Sent: Wednesday, January 10, 2001 6:21 PM
    > To: INCIDENTS
    > Cc: rlos
    > Subject: Can anyone guess at this "scan"??
    > Importance: High
    >
    >
    > Hey all,
    >
    > Can someone maybe give me a clue where to dig on
    > finding out what
    > this type of "scan" is?...whether it's anything known?
    >
    > 01/09/2001 04:34:36.928 - UDP packet dropped -
    > Source:other.net.11.66, 928, WAN -
    > Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 04:41:23.416 - UDP packet dropped -
    > Source:other.net.11.66, 642, WAN -
    > Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 04:50:59.592 - UDP packet dropped -
    > Source:other.net.11.66, 949, WAN -
    > Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 04:57:10.336 - UDP packet dropped -
    > Source:other.net.11.66, 690, WAN -
    > Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 05:05:04.480 - UDP packet dropped -
    > Source:other.net.11.66, 872, WAN -
    > Destination:My.sub.net.162, 137, LAN
    > - -
    >
    >
    > The scans come at a seemingly timed interval, and after speaking
    > with one of the network OPS personnel over at the company, it
    > appears to be
    > a unconfirmed version of *nix with some sort of mail program
    > running on it.
    > I've seen this scan pattern before and couldn't trace it
    > down, this time I'm
    > hoping to be able to pinpoint the cause.
    >
    > Thanks in advance for the forensics support.
    >
    >
    > Ralph M. Los
    > Sr. Internet Systems & Security Admin. (312) 827-3945 (direct)
    > EnvestNet Advisory Corp. (312) 296-9003 (wireless)
    > rlosenvestnet.com
    >