Re: many attempts to Port 137 (NetBIOS-NameService)

["Philip J. Koenig" <pjklist () ekahuna com>]

On 18 Feb 00, at 18:34, Chuck O'Donnell boldly uttered: 

> On Wed, Feb 16, 2000 at 05:29:16PM -0800, Bill Pennington wrote:
> > My guess would be that this are harmless packets getting set to you by
> > IIS servers and other NT based web reporting tools. Normally them come
> > in groups of 3. IIS and other tools attempt to collect additional info
> > from you when you access an IIS site. They do this via Netbios.
> >
> > However I am seeing hundreds on UDP/137 attempts from a single IP
> > address in a very short period of time. I can't figure out why someone
> > would want to do that since I am silently dropping them at the firewall.
> > Must be some new toy the script kiddies have these days.
> >
> > Hope that helps! If anyone has a clue on the UDP/137 flood let me know.
>
> I see the random ones all the time from different IPs, which I agree
> are normal. The destination address is usually a web server on our
> network.
>
> But I do occasionally (couple times a week or so) see a flood of
> packets to port 137, and running the length of one of our class C's as
> the destination address. It would seem like a bulk scan for open
> NetBIOS services.
>
> Chuck


There is this stupid entity that sweeps through the whole
net looking for open NetBIOS/SMB hosts, among other things.
A colleague noticed a bunch of scans sweeping over one of 
his networks back in June, looked up the IP's, and discovered 
it's related to MP3 and/or other multimedia trading and 
was supposed to be a "service" for people trying to find 
where they could get such files.

Here's their reply to the complaint.  These turkeys may be 
your culprit:


> > > Date sent:         aaa, xx Jun 1999 xx:45:09 -0700 (PDT)
> > > From:              Vince Busam <vince () scour net>
> > > To:                deleted () deleted TLD
> > > Copies to:         abuse () scour net
> > > Subject:           Re: Apparent attack from your domain
> > >
> > > Hello,
> > >
> > > What you noticed was our crawler connecting to your SMB (Windows)
> > > shares.  I have taken steps to ensure it does no attempt to connect
> > > to you again.
> > >
> > > Scour.Net is a multimedia search engine that indexes files from three
> > > protocols -- HTTP, FTP, and SMB. The connection you saw was one of
> > > the SMB crawlers. If you do not have any SMB shares, the crawler will
> > > disconnect. If you do have public shares, it will index multimedia
> > > files located there.
> > >
> > > If you have any further questions, please do not hesitate to contact
> > > me.
> > >
> > > Sincerely,
> > > Vince Busam
> > >
> > > -----------------------------------
> > > Vince Busam
> > > Chief Network Guru, Scour, Inc.
> > > vince () scour net



Nothing like the old "opt out" game:


> Remove Host 
>
> If you wish for your computer to no longer be a part of Scour.Net you
> may remove yourself from our search. There is a link at the bottom of
> this paragraph to do this, but first a couple notes. Please only remove
> yourself if you really do not want to be part of Scour. Once you remove
> yourself it usually takes a day or two before your site is completely
> removed from Scour.Net. This is because of the time it takes to rebuild
> and refresh a database. Additionally, our scanners follow the
> Internet-standard robots.txt robot exclusion standard. Simply place a
> robots.txt file in the root directory of a share or web server, and our
> crawlers will follow the instructions therein. You can put yourself back
> into the database without contacting us, so go ahead and knock yourself
> out by clicking on the add/remove links all day! 


> From the www.scour.net press release page, notice the bigshot:


> LOS ANGELES - June 10, 1999 - Michael Ovitz and Richard Wolpert,
> partner in charge of Internet and technology ventures for The Yucaipa
> Companies, continue to expand their Internet and entertainment
> investment portfolio with the news today that they have acquired a
> controlling interest in Scour.Net, the Web's leading search and digital
> media guide for audio, video and images on the Net. The announcement
> further confirms Michael Ovitz and Richard Wolpert's commitment to the
> Internet and helps expand Scour.Net's rapidly growing broadband
> entertainment offerings. 





Phil