Re: many attempts to Port 137 (NetBIOS-NameService)

From: K. Graham (zukeeat_private)
Date: Fri Feb 18 2000 - 13:21:39 PST

Next message: Marcus J. Ranum: "Re: Recent Attacks"

Previous message: Transistor Sister: "Re: Recent Attacks"
Maybe in reply to: Joerg Walter: "many attempts to Port 137 (NetBIOS-NameService)"
Next in thread: K. Graham: "Re: many attempts to Port 137 (NetBIOS-NameService)"
Next in thread: Joerg Walter: "Re: Re: many attempts to Port 137 (NetBIOS-NameService)"
Maybe reply: Joerg Walter: "Re: Re: many attempts to Port 137 (NetBIOS-NameService)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It sounds like the new VBS Trojan that is being distributed.  NAI has put
it in their database as of Feb 3/2000.  You can find the information at 
http://vil.nai.com/vil/vbs98477.asp  This trojan uses NetBios to look for
open shares on the C: drive.  If it finds the open shares then it executes
an install program.   NAI does not go into what it installs but most
Trojan channels on any IRC network may be able to elaborate on what it
actually does.   Check http://www.nohack.net or
http://split.netset.com/miscfix for informatition.   Seeing it is a new
trojan it may be a few days before their websites have information to
post. 

It is becoming more and more frequent to look for open shares on high
speed Internet connections.  Unfortunately not all people are aware that
small programs can be installed that allow remote control of individual
PC's from a central or several central locations. 

Kim Graham
Network Analyst, CCNA
IRCop DALnet, WebChat

On Wed, 16 Feb 2000, Bill Pennington wrote:

> Date: Wed, 16 Feb 2000 17:29:16 -0800
> From: Bill Pennington <billpat_private>
> To: Joerg Walter <joerg.walterat_private>
> Cc: firewall-wizardsat_private
> Subject: Re: many attempts to Port 137 (NetBIOS-NameService)
> 
> My guess would be that this are harmless packets getting set to you by
> IIS servers and other NT based web reporting tools. Normally them come
> in groups of 3. IIS and other tools attempt to collect additional info
> from you when you access an IIS site. They do this via Netbios.
> 
> However I am seeing hundreds on UDP/137 attempts from a single IP
> address in a very short period of time. I can't figure out why someone
> would want to do that since I am silently dropping them at the firewall.
> Must be some new toy the script kiddies have these days.
> 
> Hope that helps! If anyone has a clue on the UDP/137 flood let me know.
> 
> 
> > Joerg Walter wrote:
> > 
> > Hi folks,
> > I discovered a strange thing on a Firewall (IPCHAINS-based, RedHat 6.0, Kernel 2.2.12-20). There are lots of connect-attempts to this machine to Port 137 (NetBIOS-NameService). These attempts are blocked but nethertheless I'm wondering, since the source of these packets are addresses throughout Europe and they doesn't seem to be broadcasts (destination address is exactly that machine).
> > We have some other Firewalls set up just the same on the same network and they don't get these packets...
> > 
> > Is this something to be worried about?
> 
> -- 
> 
> 
> Bill Pennington
> IT Manager
> Rocketcash
> billpat_private
> http://www.rocketcash.com
> 
>

Next message: Marcus J. Ranum: "Re: Recent Attacks"
Previous message: Transistor Sister: "Re: Recent Attacks"
Maybe in reply to: Joerg Walter: "many attempts to Port 137 (NetBIOS-NameService)"
Next in thread: K. Graham: "Re: many attempts to Port 137 (NetBIOS-NameService)"
Next in thread: Joerg Walter: "Re: Re: many attempts to Port 137 (NetBIOS-NameService)"
Maybe reply: Joerg Walter: "Re: Re: many attempts to Port 137 (NetBIOS-NameService)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:23 PDT