OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Anders Thulin (Anders.X.ThulinTELIA.SE)
Date: Thu Jan 11 2001 - 02:32:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "Los, Ralph" wrote:

    > Can someone maybe give me a clue where to dig on finding out what
    > this type of "scan" is?...whether it's anything known?

      It would be useful to know from what kind of system or software the log
    is coming.

      I suspect it takes someone who knows this product to interpret the logs
    accurately -- especially what those '-' means, and if they are significant
    for the interpretation, and if those really are port numbers.

    > 01/09/2001 04:34:36.928 - UDP packet dropped -
    > Source:other.net.11.66, 928, WAN - Destination:My.sub.net.162, 137, LAN
    > - -

      Thus, I can't say for certain that '137' is to be interpreted as a port number,
    even if it seems the most likely interpretation.

      Port 137 is a well-known port (Netbios name service), and has been the target for
    intrusion attempts, as indicated by several advisories. Here are some:

     * http://www.cert.org/incident_notes/IN-2000-02.html

     * http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

         and in particular the part about port 137 scans available in:

       http://www.sans.org/newlook/resources/IDFAQ/port_137.htm

     * Searching the vulnerability database at www.securityfocus.com for '137'
       also gives a few ideas as to possible intentions.

      However, it would need a copy of the dropped packet to say for certain what
    is going on here.

      The source port (928?) might provide a certain lead, as legitimate connections
    to port 137 usually (? always) come from port 137.

    > The scans come at a seemingly timed interval, and after speaking
    > with one of the network OPS personnel over at the company, it appears to be
    > a unconfirmed version of *nix with some sort of mail program running on it.

      Don't they know for certain? In particular, can't they explain why
    this server wants to talk NetBIOS with your system, or if it even is expected
    to do so? :-)

      Hope you can convince them of the possibility that they have been hit.
    Reporting the problem to CERT can sometimes give added weight to your
    complaints. 

    --
Anders Thulin     Anders.X.Thulintelia.se     040-10 50 63
Telia ProSoft AB, Box 85, SE-201 20 Malmö, Sweden