Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Lots netbios scans (udp 137)

From: bryan () VISI COM (Bryan Andersen)
Date: Wed, 3 May 2000 17:43:42 -0500

"Greg A. Woods" wrote:


[ On Monday, May 1, 2000 at 20:20:57 (-0500), Ben Laws wrote: ]

Subject: Re: Lots netbios scans (udp 137)

Here I've been observing similar scansm, although
over a smaller address space.  They always originate
from a Windows box (determined by `nmap -sS -O
target`), and I've seen them come from all over as
well.  Best to ensure you don't have any open shares
on your Windows systems --


CERT has a couple of writeups on Open Windows Shares Worms.
http://www.cert.org/
http://www.cert.org/incident_notes/IN-2000-03.html
http://www.cert.org/incident_notes/IN-2000-02.html
http://www.cert.org/incident_notes/IN-2000-05.html



The scans I saw last week were always from unrouted networks such as
192.168 and 169.254, but from port 137 and to port 137, and always
78-byte UDP packets.

I there any possibility that it's "normal" for a M$-Win box to do this
under some circumstances?


I haven't found any standard Windows software that as part of it's
normal operation will scan an address range without user intervention.
Many of the logging packages that are put forth as possible sources of
scans only hit specific addresses.

--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |
Previous By Date Next
Previous By Thread Next

Current thread: