Security Incidents mailing list archives
Re: Netbios name scans
From: Adrian Brinton <abrinton () ESURANCE COM>
Date: Mon, 18 Dec 2000 18:48:45 -0800
Yes, its a trojan, vbs worm i think. Each one of those IP's will have a world-writable share. check out net view \\IP from and windows box and see whats available... there's usually a file called network.vbs in the root of c. -----Original Message----- From: Andy Duncan [mailto:andyduncan () MOTIVES CO UK] Sent: Monday, December 18, 2000 6:48 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Netbios name scans Does anyone know what would cause this pattern of Netbios name scans: Dec 18 12:52:02 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=1869 F=0x0000 T=119 (#21) Dec 18 12:52:03 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=2125 F=0x0000 T=119 (#21) Dec 18 12:52:03 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=2381 F=0x0000 T=119 (#21) Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=56653 F=0x0000 T=119 (#21) Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=57165 F=0x0000 T=119 (#21) Dec 18 12:52:04 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=56909 F=0x0000 T=119 (#21) Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 64.69.177.104:137 a.b.c.d:137 L=78 S=0x00 I=35150 F=0x0000 T=119 (#21) Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 64.69.177.75:137 a.b.c.d:137 L=78 S=0x00 I=35406 F=0x0000 T=119 (#21) Dec 18 12:52:05 gw kernel: Packet log: ext-in DENY ppp0 PROTO=17 10.253.68.34:137 a.b.c.d:137 L=78 S=0x00 I=35662 F=0x0000 T=119 (#21) This same pattern has occured four times over the last few days. I'm guessing this is some automated scanning tool or a vbs worm, but I haven't seen one that spoofs on 10.x.x.x addresses. Andy
Current thread:
- Re: Netbios name scans Adrian Brinton (Dec 18)
- <Possible follow-ups>
- Netbios name scans Andy Duncan (Dec 19)