Re: Possible attemt at hacking?

[brendan () AUSTCO COM AU (Brendan Grieve)]

I used to get this all the time, ESPECIALLY on my Small Business NT boxes,
and from specific clients. Frame type was correct, and it drove me nuts...

Eventually I just replaced the Network Cards in those, and it disapeared
(And found out the cards that were in those machines were extremely cheap
and nasty ones).

Cheers...
Brendan Grieve, Administrator

- I hear if you play the NT CD backwards, you can hear satanic messages?
- Thats NOTHING. If you play it forwards, it installs NT 4.0.

----- Original Message -----
From: Geir A. Bjune <geir () MAIL WSU EDU>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, January 26, 2000 1:51 PM
Subject: Possible attemt at hacking?

I'm not 100% sure what the following is, but I keep getting illegal
datagrams from certain machines throught NT's Rdr service (smb I assume)

The following message shows up in the message log:

The browser has received an illegal datagram from the remote computer
<remote> to name <mymachinename> on transport Nwlnk.  The data is the
datagram

Data is as follows:

0000: 00 00 3e 00 04 00 86 00   ..>...?.
0008: 00 00 00 00 46 1f 00 80   ....F..?
0010: 00 00 00 00 d0 00 00 c0   ....Ð..À
0018: 04 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: ff 00 b1 53 4d 42 25 00   ÿ.±SMB%.
0030: 00 00 00 00 00 00 00 00   ........
0038: 00 00 00 00 00 00 00 00   ........
0040: 00 00 00 00 00 00 00 00   ........
0048: 00 00 11 00 00 2f 00 00   ...../..
0050: 00 00 00 00 00 00 00 00   ........
0058: 00 00 00 00 00 00 00 00   ........
0060: 00 2f 00 56 00 03         ./.V..

I would very much like to know if this is someone trying to break down my
NT 4,0 machine (Windows NT 4.0 workstation, SP 6a)

Any information appreciated.

Thanks,
Geir