Snort mailing list archives
Re: Is this an attack in the making?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 27 Oct 2003 13:13:30 -0500
At 07:50 PM 10/26/2003, Michael Esposito wrote:
I've picked up UDP 137 alerts from several of my internal machines attempting to connect to a machine with an external IP address of 66.223.110.226.When I connect to the web server on that IP address, I notice three files: Name Last Modified Size Description EyeURL.html Mon Jul 07 15:04:26 EDT 2003 1430 File HiddenApplet.class Mon Sep 23 16:47:02 EDT 2002 2090 File HttpMessage.class Mon Sep 23 16:47:02 EDT 2002 3842 File1) What would be causing my machines to attempt to connect to an external udp 137 port?
137 is netbios-name.. many windows machines will attempt to connect to it as an alternative to doing a reverse DNS lookup. Since 66.223.110.226 has no reverse DNS records, you clients are probably trying netbios-name as a fall-back. It's probably hosting some advertizing images, or some other such thing, which is referred to from annother site your users are visiting.
According to whois, the IP is owned by interland.com, a web hosting company, so that IP address is probably a vhost for several websites.
2) I heard that there was a udp port 137 attack a while back. Can anyone provide me with the specifics on this attack and if a Snort signature rule exists?
I've heard of lots of vulnerabilities in the tcp based netbios ports (139, 135), but not of one in netbios-name udp services (137). Even the really old "winnuke" vulnerability was a netbios tcp port issue.
The blaster worm was exploiting tcp/139, which is what you might be thinking of.
3) Are these files on the above-mentioned site malicious?
They don't seem to be, but I've not examined them very closely.
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this an attack in the making? Michael Esposito (Oct 26)
- Re: Is this an attack in the making? Matt Kettler (Oct 27)