Security Incidents mailing list archives
Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity
From: friedl () MTNDEW COM (Stephen Friedl)
Date: Tue, 28 Mar 2000 22:16:01 -0800
I too have seen this behavior. I block them at my firewall, but the numbers have dramatically increased for port 137 scans that hit every IP# in my micro net address range. Before Feb I'd see one a month at most.
This looks to me like the NETWORK.VBS worm. This propogates onto a machine, and then sits and tries to infect random class Cs by looking for shared C drives with no passwords. The scans are not terribly fast -- takes several minutes to scan the full class C -- and you can nearly always visit the machine and remove the virus yourself.
Mar 27 22:00:25 input PROTO=17 204.210.104.156:137 *.16:137 L=78 S=0x00
$ nbtscan -f 204.210.104.156 204.210.104.156 FUN\ANDRE SHARING ANDRE <00> UNIQUE Workstation Service FUN <00> GROUP Domain Name ANDRE <03> UNIQUE Messenger Service<3> ANDRE <20> UNIQUE File Server Service FUN <1e> GROUP Browser Service Elections FUN <1d> UNIQUE Master Browser ..__MSBROWSE__.<01> GROUP Master Browser 00:80:c6:f8:ec:3c ETHER If you visit their C drive, you'll find NETWORK.VBS in the root dir, \WINDOWS, and in the startup folder. My practice of late has been to remove these files and drop an "INFECTED.TXT" text file on their desktop and in their startup folder to suggest that they stop sharing their drives, put on a password, or get a real firewall.
This is a set from two sites very nicely meshed (Are they racing each other?): Mar 23 18:39:48 input PROTO=17 207.194.22.39:137 *.16:137 L=78 S=0x00 ... Mar 23 18:39:48 input PROTO=17 200.200.200.1:137 *.16:137 L=78 S=0x00 ...
This is almost certainly a dual-homed machine that sends a packet from each interface. The 200.200.200.1 address is probably a poorly-chosen "internal" network number. Steve --- Stephen J Friedl|Software Consultant|Tustin, CA| +1 714 544-6561 3B2-kind-of-guy |I speak for me only| KA8CMY |steve () unixwiz net
Current thread:
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Stephen Friedl (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Patrick Oonk (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bryan Andersen (Mar 29)