Security Incidents mailing list archives
regulary 137 and 524 port scan
From: meteor () KISA OR KR (Cho Yongsang)
Date: Fri, 28 Apr 2000 11:03:52 +0900
Hello. I've got the following log message on my firewall log server. The log says that attacker attemps to probe 524/tcp and 137/udp port regulary and simultaneously. I know that 137/udp is netbios, and 524/tcp is NCP, but is there any relation between these two port? Or is there any scanning tool which is concerned about 137 and 524 port? Apr 28 04:01:55 denied udp 204.184.172.120(137) -> *.*.*.1(137), 2 packets Apr 28 04:02:34 denied tcp 204.184.172.120(4691) -> *.*.*.2(524), 2 packets Apr 28 04:02:54 denied tcp 204.184.172.120(4695) -> *.*.*.3(524), 2 packets Apr 28 04:03:25 denied tcp 204.184.172.120(4699) -> *.*.*.3(524), 2 packets Apr 28 04:04:06 denied tcp 204.184.172.120(4705) -> *.*.*.4(524), 2 packets Apr 28 04:04:48 denied tcp 204.184.172.120(4711) -> *.*.*.5(524), 2 packets Apr 28 04:05:29 denied tcp 204.184.172.120(4718) -> *.*.*.6(524), 2 packets Apr 28 04:06:10 denied tcp 204.184.172.120(4724) -> *.*.*.7(524), 2 packets Apr 28 04:06:44 denied udp 204.184.172.120(137) -> *.*.*.8(137), 2 packets Apr 28 04:06:51 denied tcp 204.184.172.120(4730) -> *.*.*.8(524), 2 packets Apr 28 04:07:26 denied udp 204.184.172.120(137) -> *.*.*.9(137), 2 packets Apr 28 04:08:04 denied tcp 204.184.172.120(4742) -> *.*.*.10(524), 2 packets Apr 28 04:08:07 denied udp 204.184.172.120(137) -> *.*.*.10(137), 2 packets Apr 28 04:08:48 denied udp 204.184.172.120(137) -> *.*.*.11(137), 2 packets Apr 28 04:08:55 denied tcp 204.184.172.120(4755) -> *.*.*.12(524), 2 packets Apr 28 04:09:05 denied udp 204.184.172.120(137) -> *.*.*.12(137), 2 packets Apr 28 04:09:16 denied tcp 204.184.172.120(4756) -> *.*.*.12(524), 2 packets Apr 28 04:09:36 denied tcp 204.184.172.120(4761) -> *.*.*.13(524), 2 packets Apr 28 04:09:47 denied udp 204.184.172.120(137) -> *.*.*.13(137), 2 packets Apr 28 04:10:18 denied tcp 204.184.172.120(4767) -> *.*.*.14(524), 2 packets Apr 28 04:10:28 denied udp 204.184.172.120(137) -> *.*.*.14(137), 2 packets .................................................... .................................................... -- Cho YongSang, Security Incident Coordinator of CERTCC-KR/KISA Korea CERT* Coordination Center/Korea Information Security Agency [E-mail] meteor () kisa or kr, meteor () certcc or kr [Fax]+82-2-3488-4129 [Phone]+82-2-3488-4127
Current thread:
- Re: Rooted through in.identd on Red Hat 6.0, (continued)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
- Re: !!!Linux ELF infector!!! John Flux (Apr 24)
- BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
- Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)