Re: SMB scans

[Jonathan Stade <jsmailst () CADVISION COM>]

I've seen a lot of these over the past couple or three months. In every
case I've seen, your aa.bb.cc.dd ip address would increment by once on each
cycle. In every case I've tracked down (about 7-10 of them), the source
machine was infected with a worm which replicated itself by copying itself
onto other machines over open shares.

For the most common one I found, check http://vil.nai.com for the netlog
worm. There was another worm I found that did this as well, but I can't
remember what its name was...

Long story short, if you care enough and have the time, ask the ISP where
the attack originated to contact their user and have them scan their
machine with an up-to-date virus scanner.

At 10:42 AM 7/27/00 -0700, you wrote:
> this morning, looking at what logcheck mailed me overnight, i came across
> a _ton_ of these messages:
>
> -- snip --
> Jul 26 22:25:38 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=17
> 203.12.167.242:137 aa.bb.cc.dd:137 L=78 S=0x00 I=16902 F=0x0000 T=112
> (#13)
> Jul 26 22:25:38 spindle snort: SMB Name Wildcard: 203.12.167.242:137 ->
> aa.bb.cc.dd:137
> -- snip --
> looks like this went on for about 20 minutes. it also looks like the
> source of the scan/attack was from a dialup in australia
> (cbr-56K-242.tpgi.com.au)
>
> not too worried about this, since the machine in question does not run
> samba or any other smb daemon. but it blocks all traffic to ports <1024,
> unless specifically allowed.
>
> anyone else see anything like this?
>
> --
>  ______________________________________________
> | "the whole scale of cosmic dimensions are falling from my mouth
> | in the description of a kiss of the interimlovers"
> |   - einsturzende neubaten, "interim"