OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Los, Ralph (rlosENVESTNET.COM)
Date: Thu Jan 11 2001 - 09:37:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks all,
            In reply to some of the questions:

            The logging utility here, unfortunately, is a SonicWall Pro. The
    destination network (one of mine) is completely isolated from the one that
    is the source - meaning, there should ordinarily be NO traffic from them to
    us of this nature. Also, the machine on the other end has been reported by
    them to be a *NIX box...mine is, yes, a firewall hiding a completely MS
    network.

            I wish I could get packet dumps for you, but I don't have that
    facility, and as I'm relatively new to this type of task, I don't even have
    a facility set up to do such a task...learning quickly.

            Maybe this'll help someone track this down...the other end has been
    relatively slow in responding, but they swore they would investigate. I
    will post again should I hear any more news from their security team. In
    the meantime, ...is there a tool out there that is known to run from a *NIX
    box that would be doing NetBIOS scans like the one seen below in my post?

    Thanks everyone...

    Ralph M. Los
    Sr. Internet Systems & Security Admin. (312) 827-3945 (direct)
    EnvestNet Advisory Corp. (312) 296-9003 (wireless)
    rlosenvestnet.com

    -----Original Message-----
    From: Jigal Weinberg [mailto:jigalcistron.nl]
    Sent: Thursday, January 11, 2001 6:00 AM
    To: Los, Ralph
    Cc: INCIDENTSSECURITYFOCUS.COM
    Subject: Re: Can anyone guess at this "scan"??

    On Wed, 10 Jan 2001, Los, Ralph wrote:

    >
    > 01/09/2001 04:34:36.928 - UDP packet dropped -
    > Source:other.net.11.66, 928, WAN - Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 04:41:23.416 - UDP packet dropped -
    > Source:other.net.11.66, 642, WAN - Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 04:50:59.592 - UDP packet dropped -
    > Source:other.net.11.66, 949, WAN - Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 04:57:10.336 - UDP packet dropped -
    > Source:other.net.11.66, 690, WAN - Destination:My.sub.net.162, 137, LAN
    > - -
    > 01/09/2001 05:05:04.480 - UDP packet dropped -
    > Source:other.net.11.66, 872, WAN - Destination:My.sub.net.162, 137, LAN
    > - -

    Have you checked the traffic from destination to source ?
    Maybe it could be somthing samba.
    netbios-ns 137/udp
    Maybe something with windows Domain controller stuff.
    Periodic annoucing of it's netbios name.

    hope it helps

    Greets

    J . Weinberg 

    --
Mr. Orange:
	Motherfucker, I don't even know what 10 dollars worth looks like.
	- <Reservoir Dogs>