OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brett Procter (Brett.Procter_at_bigpond.com)
Date: Mon Sep 30 2002 - 07:05:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      Hmm,

        Internode ADSL (Adelaide Aust)

      15 hits yesterday, 38 so far today (22:04 GMT+10), 1 from local
    network yesterday, 5 today.

      Brett Procter
      Config Systems Pty Ltd

    > -----Original Message-----
    > From: Mark Forsyth [mailto:forsythmoptushome.com.au]
    > Sent: Monday, 30 September 2002 6:33 PM
    > To: incidentssecurityfocus.com
    > Subject: RE: Unusual volume: UDP:137 probes
    >
    >
    > On Monday, September 30, 2002 9:02 AM, John Sage
    > [SMTP:jsagefinchhaven.com] wrote:
    > > This has received some mention on the UNISOG list and elsewhere, but
    > > not here.
    > >
    > > Some people have been seeing unusually high volumes of UDP:137
    probes
    > > since about 09/27/02 late, or early 09/28/02.
    >
    > A few people (who log sych things) on the Optus cable network in
    Australia
    > have been seeing it too.
    > In my case since Sep 20 it's gone ...
    > Sep 20 2 hits
    > Sep 21, 22, 23 0 hits
    > Sep 24 3 hits
    > Sep 25 0 hits
    > Sep 26 4 hits
    > Sep 27 2 hits
    > Sep 28 156 hits Starting at 02:20 (Aust. EST)
    > Sep 29 410 hits
    > Sep 30 406 hits up until 18:24
    >
    >
    > >
    > > Funny facts: almost no duplication of source IP address, unless the
    > > source IP is very close to your own.
    >
    > Same here.
    >
    > >
    > > Packet contents seem to be "normal".
    >
    > Yep. Look normal here too.
    >
    > >
    > > ACID summaries for my dialup into AT&T's Seattle WA POP follow.
    > >
    > > One list is sorted by date-time, the other's sorted by source IP --
    > > the list sorted by source IP suggests that I'm being probed several
    > times
    > > by IP's in my 12.82.x.x neigborhood, and almost never more than once
    > > by IP's from other netblocks.
    >
    > Almost no duplicates here either. An interesting thing is that there
    are
    > almost no addresses in my logs that are in .au land.
    > It'd be interesting if someone on a well connected network would
    configure
    > up a Win95 box as a honeypot and see what happens. For me to do it
    would
    > probably be a waste of time as Optus blocks most NetBIOS ports. They
    just
    > omitted to block 137 UDP for some reason.
    >
    > Ooroo
    > Mark Forsyth
    >
    >
    ------------------------------------------------------------------------ 

    --
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com