Security Incidents mailing list archives

Re: Can anyone guess at this "scan"??

From: Anders Thulin <Anders.X.Thulin () TELIA SE>
Date: Thu, 11 Jan 2001 09:32:53 +0100

"Los, Ralph" wrote:

        Can someone maybe give me a clue where to dig on finding out what
this type of "scan" is?...whether it's anything known?


  It would be useful to know from what kind of system or software the log
is coming.

  I suspect it takes someone who knows this product to interpret the logs
accurately -- especially what those '-' means, and if they are significant
for the interpretation, and if those really are port numbers.

01/09/2001 04:34:36.928 -       UDP packet dropped -
Source:other.net.11.66, 928, WAN -      Destination:My.sub.net.162, 137, LAN
-        -


  Thus, I can't say for certain that '137' is to be interpreted as a port number,
even if it seems the most likely interpretation.

  Port 137 is a well-known port (Netbios name service), and has been the target for
intrusion attempts, as indicated by several advisories. Here are some:

 * http://www.cert.org/incident_notes/IN-2000-02.html

 * http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

     and in particular the part about port 137 scans available in:

   http://www.sans.org/newlook/resources/IDFAQ/port_137.htm

 * Searching the vulnerability database at www.securityfocus.com for '137'
   also gives a few ideas as to possible intentions.

  However, it would need a copy of the dropped packet to say for certain what
is going on here.

  The source port (928?) might provide a certain lead, as legitimate connections
to port 137 usually (? always) come from port 137.

The scans come at a seemingly timed interval, and after speaking
with one of the network OPS personnel over at the company, it appears to be
a unconfirmed version of *nix with some sort of mail program running on it.


  Don't they know for certain? In particular, can't they explain why
this server wants to talk NetBIOS with your system, or if it even is expected
to do so?  :-)

  Hope you can convince them of the possibility that they have been hit.
Reporting the problem to CERT can sometimes give added weight to your
complaints.

--
Anders Thulin     Anders.X.Thulin () telia se     040-10 50 63
Telia ProSoft AB, Box 85, SE-201 20 Malmö, Sweden

Current thread:

Can anyone guess at this "scan"?? Los, Ralph (Jan 10)
- Re: Can anyone guess at this "scan"?? Anders Thulin (Jan 11)
- Re: Can anyone guess at this "scan"?? Guido Bolognesi (Jan 11)
- <Possible follow-ups>
- Re: Can anyone guess at this "scan"?? Howard, Aaron (Jan 11)
- Re: Can anyone guess at this "scan"?? Los, Ralph (Jan 11)
- Re: Can anyone guess at this "scan"?? Duquette, John (Jan 11)
- Re: Can anyone guess at this "scan"?? Sarah Cleveland (Jan 11)