Spoofed SMB name wildcard probes

From: Yotam Rubin (yotamat_private)
Date: Fri May 04 2001 - 01:17:54 PDT

Next message: McCammon, Keith: "Re: DNS servers!!"

Previous message: Paul Rogers: "Re: What "methods" are being used"
Next in thread: Daniel Martin: "Re: Spoofed SMB name wildcard probes"
Reply: Daniel Martin: "Re: Spoofed SMB name wildcard probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gentle people,

        Our servers consistently encounter SMB name wildcard probes.
I observed the first unusual (spoofed) probe at May  1 08:21:19. This probe
was instantly followed by a valid SMB name wildcard. Are these obvious
decoys becoming trendy or is it just me?

        As always, relevant packet dumps can be found at:
http://192.117.130.34/Fendor/security/spoofed-SMB-packets.gz and
http://192.117.130.34/Fendor/security/spoofed-SMB-packets2.gz
The snort alerts can be found at:
http://192.117.130.34/Fendor/security/SMB-snort-alerts

The spoofed packets usually arrive immediately after some host performs
a standard probe. Which tool is generating this traffic?
BTW, I am indeed NAT'ed, but 192.168.0.1 does not exist on our network.

        Regards, Yotam Rubin

Next message: McCammon, Keith: "Re: DNS servers!!"
Previous message: Paul Rogers: "Re: What "methods" are being used"
Next in thread: Daniel Martin: "Re: Spoofed SMB name wildcard probes"
Reply: Daniel Martin: "Re: Spoofed SMB name wildcard probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 04 2001 - 07:15:50 PDT