On 18 Feb 00, at 18:34, Chuck O'Donnell boldly uttered: > On Wed, Feb 16, 2000 at 05:29:16PM -0800, Bill Pennington wrote: > > My guess would be that this are harmless packets getting set to you by > > IIS servers and other NT based web reporting tools. Normally them come > > in groups of 3. IIS and other tools attempt to collect additional info > > from you when you access an IIS site. They do this via Netbios. > > > > However I am seeing hundreds on UDP/137 attempts from a single IP > > address in a very short period of time. I can't figure out why someone > > would want to do that since I am silently dropping them at the firewall. > > Must be some new toy the script kiddies have these days. > > > > Hope that helps! If anyone has a clue on the UDP/137 flood let me know. > > I see the random ones all the time from different IPs, which I agree > are normal. The destination address is usually a web server on our > network. > > But I do occasionally (couple times a week or so) see a flood of > packets to port 137, and running the length of one of our class C's as > the destination address. It would seem like a bulk scan for open > NetBIOS services. > > Chuck There is this stupid entity that sweeps through the whole net looking for open NetBIOS/SMB hosts, among other things. A colleague noticed a bunch of scans sweeping over one of his networks back in June, looked up the IP's, and discovered it's related to MP3 and/or other multimedia trading and was supposed to be a "service" for people trying to find where they could get such files. Here's their reply to the complaint. These turkeys may be your culprit: > >> Date sent: aaa, xx Jun 1999 xx:45:09 -0700 (PDT) > >> From: Vince Busam <vinceat_private> > >> To: deletedat_private > >> Copies to: abuseat_private > >> Subject: Re: Apparent attack from your domain > >> > >> Hello, > >> > >> What you noticed was our crawler connecting to your SMB (Windows) > >> shares. I have taken steps to ensure it does no attempt to connect > >> to you again. > >> > >> Scour.Net is a multimedia search engine that indexes files from three > >> protocols -- HTTP, FTP, and SMB. The connection you saw was one of > >> the SMB crawlers. If you do not have any SMB shares, the crawler will > >> disconnect. If you do have public shares, it will index multimedia > >> files located there. > >> > >> If you have any further questions, please do not hesitate to contact > >> me. > >> > >> Sincerely, > >> Vince Busam > >> > >> ----------------------------------- > >> Vince Busam > >> Chief Network Guru, Scour, Inc. > >> vinceat_private Nothing like the old "opt out" game: > Remove Host > > If you wish for your computer to no longer be a part of Scour.Net you > may remove yourself from our search. There is a link at the bottom of > this paragraph to do this, but first a couple notes. Please only remove > yourself if you really do not want to be part of Scour. Once you remove > yourself it usually takes a day or two before your site is completely > removed from Scour.Net. This is because of the time it takes to rebuild > and refresh a database. Additionally, our scanners follow the > Internet-standard robots.txt robot exclusion standard. Simply place a > robots.txt file in the root directory of a share or web server, and our > crawlers will follow the instructions therein. You can put yourself back > into the database without contacting us, so go ahead and knock yourself > out by clicking on the add/remove links all day! >From the www.scour.net press release page, notice the bigshot: > LOS ANGELES - June 10, 1999 - Michael Ovitz and Richard Wolpert, > partner in charge of Internet and technology ventures for The Yucaipa > Companies, continue to expand their Internet and entertainment > investment portfolio with the news today that they have acquired a > controlling interest in Scour.Net, the Web's leading search and digital > media guide for audio, video and images on the Net. The announcement > further confirms Michael Ovitz and Richard Wolpert's commitment to the > Internet and helps expand Scour.Net's rapidly growing broadband > entertainment offerings. Phil
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:49 PDT