Security Incidents mailing list archives
Re: Strange logs
From: Camillo Särs <Camillo.Sars () F-SECURE COM>
Date: Tue, 2 Jan 2001 10:29:20 +0200
Devdas Bhagat wrote:
I am getting UDP packets from port 137 on various machines to port 53 on my secondary nameserver.
Looks like WINS resolution attempts through DNS.
These have been coming continuously since morning (about 9 hrs now), and currently form half my logfile (rotated on Sunday at 4 am). No such traces on the primary nameserver, and I use the same rules on both. Any explanations of what this could be? An attempted exploit or just a misconfigured File and Print share (given the originating port)?
Probably a Windows PC which has a misconfigured (or missing) WINS entry. Windows will in some cases (depends on configuration) fallback to DNS lookups to resolve host names for WINS. AFAIK, Windows DNS lookups are pretty hairily implemented, so falling back to a secondary name server seems "normal" ;) Have you checked to see if such traffic to your primary nameserver might perhaps be silently blocked, causing the fall-back? I have set up explicit rules to silently ignore lookups of this type, because Windows 137-139 ports tend to cause a lot of "noise" anyway. Mind you, you would still do well to log any normal NetBIOS traffic attempts, as they quite often indicate worm activity. Regards, Camillo -- Camillo Särs <Camillo.Sars () F-Secure com> http://www.iki.fi/ged/ Security Researcher, F-Secure Corporation http://www.F-Secure.com F-Secure products: Securing the Mobile, Distributed Enterprise
Current thread:
- Strange logs Devdas Bhagat (Jan 01)
- Re: Strange logs Fabio Pietrosanti (naif) (Jan 02)
- Re: Strange logs Camillo Särs (Jan 02)