On Sat, 12 Oct 2002, Mike McCandless wrote: > I have seen an increase in (unsolicited) traffic to port 137 at my > firewall. My default You're likely seeing one of the Windows-based worms. > firewall policy (using iptables) is to deny, so 137 traffic is not > getting through. I have used Ethereal (a network sniffer) to see the > content of the UDP packets and the consistent theme is: > > In the Flags section - broadcast packet is 1 (I assume this means yes) > In the Queries section > - Name is a bunch of 0's and Workstation/Redirector in parens > - Type is NBSTAT > - Class is inet > > Can someone tell me what the source of these are? I have done a reverse > DNS lookup on several source IPs and don't see any pattern. Likely Bugbear, which is gaining significant momentum: http://www.trusecure.com/knowledge/hypeorhot/2002/bugbear090302.shtml We say "network shares," not explicitly "port 137"- either that's because of an update or because we mandate blocking of 137 in our customer base. There are links on that page to a few vendors who may give greater detail. I'm not sure if a scan of 36794 would turn up infected hosts, but it's likely. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 04:56:50 PDT