Security Incidents mailing list archives
Re: Can anyone guess at this "scan"??
From: "Los, Ralph" <rlos () ENVESTNET COM>
Date: Thu, 11 Jan 2001 09:37:54 -0600
Thanks all, In reply to some of the questions: The logging utility here, unfortunately, is a SonicWall Pro. The destination network (one of mine) is completely isolated from the one that is the source - meaning, there should ordinarily be NO traffic from them to us of this nature. Also, the machine on the other end has been reported by them to be a *NIX box...mine is, yes, a firewall hiding a completely MS network. I wish I could get packet dumps for you, but I don't have that facility, and as I'm relatively new to this type of task, I don't even have a facility set up to do such a task...learning quickly. Maybe this'll help someone track this down...the other end has been relatively slow in responding, but they swore they would investigate. I will post again should I hear any more news from their security team. In the meantime, ...is there a tool out there that is known to run from a *NIX box that would be doing NetBIOS scans like the one seen below in my post? Thanks everyone... Ralph M. Los Sr. Internet Systems & Security Admin. (312) 827-3945 (direct) EnvestNet Advisory Corp. (312) 296-9003 (wireless) rlos () envestnet com -----Original Message----- From: Jigal Weinberg [mailto:jigal () cistron nl] Sent: Thursday, January 11, 2001 6:00 AM To: Los, Ralph Cc: INCIDENTS () SECURITYFOCUS COM Subject: Re: Can anyone guess at this "scan"?? On Wed, 10 Jan 2001, Los, Ralph wrote:
01/09/2001 04:34:36.928 - UDP packet dropped - Source:other.net.11.66, 928, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 04:41:23.416 - UDP packet dropped - Source:other.net.11.66, 642, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 04:50:59.592 - UDP packet dropped - Source:other.net.11.66, 949, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 04:57:10.336 - UDP packet dropped - Source:other.net.11.66, 690, WAN - Destination:My.sub.net.162, 137, LAN - - 01/09/2001 05:05:04.480 - UDP packet dropped - Source:other.net.11.66, 872, WAN - Destination:My.sub.net.162, 137, LAN - -
Have you checked the traffic from destination to source ? Maybe it could be somthing samba. netbios-ns 137/udp Maybe something with windows Domain controller stuff. Periodic annoucing of it's netbios name. hope it helps Greets J . Weinberg -- Mr. Orange: Motherfucker, I don't even know what 10 dollars worth looks like. - <Reservoir Dogs>
Current thread:
- Can anyone guess at this "scan"?? Los, Ralph (Jan 10)
- Re: Can anyone guess at this "scan"?? Anders Thulin (Jan 11)
- Re: Can anyone guess at this "scan"?? Guido Bolognesi (Jan 11)
- <Possible follow-ups>
- Re: Can anyone guess at this "scan"?? Howard, Aaron (Jan 11)
- Re: Can anyone guess at this "scan"?? Los, Ralph (Jan 11)
- Re: Can anyone guess at this "scan"?? Duquette, John (Jan 11)
- Re: Can anyone guess at this "scan"?? Sarah Cleveland (Jan 11)