Security Incidents mailing list archives
Re: Can anyone guess at this "scan"??
From: Anders Thulin <Anders.X.Thulin () TELIA SE>
Date: Thu, 11 Jan 2001 09:32:53 +0100
"Los, Ralph" wrote:
Can someone maybe give me a clue where to dig on finding out what this type of "scan" is?...whether it's anything known?
It would be useful to know from what kind of system or software the log is coming. I suspect it takes someone who knows this product to interpret the logs accurately -- especially what those '-' means, and if they are significant for the interpretation, and if those really are port numbers.
01/09/2001 04:34:36.928 - UDP packet dropped - Source:other.net.11.66, 928, WAN - Destination:My.sub.net.162, 137, LAN - -
Thus, I can't say for certain that '137' is to be interpreted as a port number, even if it seems the most likely interpretation. Port 137 is a well-known port (Netbios name service), and has been the target for intrusion attempts, as indicated by several advisories. Here are some: * http://www.cert.org/incident_notes/IN-2000-02.html * http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm and in particular the part about port 137 scans available in: http://www.sans.org/newlook/resources/IDFAQ/port_137.htm * Searching the vulnerability database at www.securityfocus.com for '137' also gives a few ideas as to possible intentions. However, it would need a copy of the dropped packet to say for certain what is going on here. The source port (928?) might provide a certain lead, as legitimate connections to port 137 usually (? always) come from port 137.
The scans come at a seemingly timed interval, and after speaking with one of the network OPS personnel over at the company, it appears to be a unconfirmed version of *nix with some sort of mail program running on it.
Don't they know for certain? In particular, can't they explain why this server wants to talk NetBIOS with your system, or if it even is expected to do so? :-) Hope you can convince them of the possibility that they have been hit. Reporting the problem to CERT can sometimes give added weight to your complaints. -- Anders Thulin Anders.X.Thulin () telia se 040-10 50 63 Telia ProSoft AB, Box 85, SE-201 20 Malmö, Sweden
Current thread:
- Can anyone guess at this "scan"?? Los, Ralph (Jan 10)
- Re: Can anyone guess at this "scan"?? Anders Thulin (Jan 11)
- Re: Can anyone guess at this "scan"?? Guido Bolognesi (Jan 11)
- <Possible follow-ups>
- Re: Can anyone guess at this "scan"?? Howard, Aaron (Jan 11)
- Re: Can anyone guess at this "scan"?? Los, Ralph (Jan 11)
- Re: Can anyone guess at this "scan"?? Duquette, John (Jan 11)
- Re: Can anyone guess at this "scan"?? Sarah Cleveland (Jan 11)