Security Incidents mailing list archives
Re: Lots netbios scans (udp 137)
From: bryan () VISI COM (Bryan Andersen)
Date: Wed, 3 May 2000 17:43:42 -0500
"Greg A. Woods" wrote:
[ On Monday, May 1, 2000 at 20:20:57 (-0500), Ben Laws wrote: ]Subject: Re: Lots netbios scans (udp 137) Here I've been observing similar scansm, although over a smaller address space. They always originate from a Windows box (determined by `nmap -sS -O target`), and I've seen them come from all over as well. Best to ensure you don't have any open shares on your Windows systems --
CERT has a couple of writeups on Open Windows Shares Worms. http://www.cert.org/ http://www.cert.org/incident_notes/IN-2000-03.html http://www.cert.org/incident_notes/IN-2000-02.html http://www.cert.org/incident_notes/IN-2000-05.html
The scans I saw last week were always from unrouted networks such as 192.168 and 169.254, but from port 137 and to port 137, and always 78-byte UDP packets. I there any possibility that it's "normal" for a M$-Win box to do this under some circumstances?
I haven't found any standard Windows software that as part of it's normal operation will scan an address range without user intervention. Many of the logging packages that are put forth as possible sources of scans only hit specific addresses. -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- Re: Lots netbios scans (udp 137) Ben Laws (May 01)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)
- Re: Lots netbios scans (udp 137) Bryan Andersen (May 03)
- odd message showing up logs... Josh Burroughs (May 04)
- Re: odd message showing up logs... Rick Redman (May 06)
- amd exploit(ed)? Paulo Ribeiro (May 07)
- Re: amd exploit(ed)? Mike Murray (May 08)
- Re: amd exploit(ed)? Erich Meier (May 09)
- Re: amd exploit(ed)? Jim Zajkowski (May 09)
- Re: odd message showing up logs... Robert Graham (May 07)
- Port 109 Scans Eric Maiwald (May 04)
- Re: Port 109 Scans Stone (May 06)
- Re: Lots netbios scans (udp 137) Erich Meier (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)