FYI:

Over the weekend we noticed a significant increase in scanning for port
137 (UDP). These scans are distributed across the network and each
packet looks the same. I have posted a packet capture and some scan data
below.

Here are the numbers I am seeing for port 137 scans:
24 Sep -> 0
25 Sep -> 0
26 Sep -> 0
27 Sep -> 137
28 Sep -> 1744
29 Sep -> 3152
30 Sep -> 4029 w/six hours left (GMT)

Most of src ips belong to ISPs (cable/dsl/dialup providers) all over the
world. This example is from an .edu (basically one big ISP ;) ). Any
insight to whether the acty is malicious (recently released
exploit/scanner/worm/etc) or broken code from our favorite monopoly is
appreciated. The packet appears to be a standard nbname query except the
broadcast bit is set and the src port != 137.

Bammkkkk

0x0000: 00 A0 8E 40 62 5A 00 30 A3 10 C8 01 08 00 45 00
...bZ.0......E.
0x0010: 00 4E 95 BD 00 00 74 11 99 07 80 F8 3B 6F A2 12
.N....t.....;o..
0x0020: B9 60 04 02 00 89 00 3A A3 CB 01 00 00 10 00 01
.`.....:........
0x0030: 00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41 ......
CKAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
0x0050: 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

2002-09-30 18:24:01+00 | 128.248.59.111 | 1026 | 162.18.185.255
| 137 | 17 | UDP
2002-09-30 18:24:01+00 | 128.248.59.111 | 1026 | 162.18.185.253
| 137 | 17 | UDP
2002-09-30 18:23:59+00 | 128.248.59.111 | 1026 | 162.18.185.245
| 137 | 17 | UDP
2002-09-30 18:23:59+00 | 128.248.59.111 | 1026 | 162.18.185.243
| 137 | 17 | UDP
2002-09-30 18:23:59+00 | 128.248.59.111 | 1026 | 162.18.185.240
| 137 | 17 | UDP
2002-09-30 18:23:58+00 | 128.248.59.111 | 1026 | 162.18.185.237
| 137 | 17 | UDP
2002-09-30 18:23:58+00 | 128.248.59.111 | 1026 | 162.18.185.236
| 137 | 17 | UDP
2002-09-30 18:23:58+00 | 128.248.59.111 | 1026 | 162.18.185.234
| 137 | 17 | UDP
2002-09-30 18:23:57+00 | 128.248.59.111 | 1026 | 162.18.185.232
| 137 | 17 | UDP
2002-09-30 18:23:57+00 | 128.248.59.111 | 1026 | 162.18.185.227
| 137 | 17 | UDP
2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.225
| 137 | 17 | UDP
2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.223
| 137 | 17 | UDP
2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.221
| 137 | 17 | UDP
2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.220
| 137 | 17 | UDP
2002-09-30 18:23:55+00 | 128.248.59.111 | 1026 | 162.18.185.218
| 137 | 17 | UDP
2002-09-30 18:23:55+00 | 128.248.59.111 | 1026 | 162.18.185.215
| 137 | 17 | UDP
2002-09-30 18:23:55+00 | 128.248.59.111 | 1026 | 162.18.185.213
| 137 | 17 | UDP
2002-09-30 18:23:54+00 | 128.248.59.111 | 1026 | 162.18.185.211
| 137 | 17 | UDP
2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.206
| 137 | 17 | UDP
2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.203
| 137 | 17 | UDP
2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.202
| 137 | 17 | UDP
2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.200
| 137 | 17 | UDP
2002-09-30 18:23:52+00 | 128.248.59.111 | 1026 | 162.18.185.199
| 137 | 17 | UDP
2002-09-30 18:23:52+00 | 128.248.59.111 | 1026 | 162.18.185.198
| 137 | 17 | UDP
2002-09-30 18:23:52+00 | 128.248.59.111 | 1026 | 162.18.185.195
| 137 | 17 | UDP
2002-09-30 18:23:51+00 | 128.248.59.111 | 1026 | 162.18.185.192
| 137 | 17 | UDP
2002-09-30 18:23:51+00 | 128.248.59.111 | 1026 | 162.18.185.189
| 137 | 17 | UDP
2002-09-30 18:23:51+00 | 128.248.59.111 | 1026 | 162.18.185.188
| 137 | 17 | UDP
2002-09-30 18:23:50+00 | 128.248.59.111 | 1026 | 162.18.185.181
| 137 | 17 | UDP
2002-09-30 18:23:50+00 | 128.248.59.111 | 1026 | 162.18.185.180
| 137 | 17 | UDP
<snip>

-- 
Bamm (Robert) Visscher
Network Security Engineer
Ball Corp.
http://www.ball.com
rvisschersaball.com 

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQA9mLfeQWwJFVk8gsQRAp/PAJsEjMFO8YT7PNa9e2h4agxqXHgsqQCdF5rJ l0J2kqUUNnC0vOFjWOtbgJo= =Y9gV -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]