RE: Scanning from a "intruder.rs88.net"?

From: Jason Lewis (jlewisat_private)
Date: Sat May 26 2001 - 23:54:16 PDT

  • Next message: Matthew Jonkman: "Re: Scanning from a "intruder.rs88.net"?" 

    What is running on the machine these logs came from?  Web, DNS, FTP?

Microsoft boxes attempt to connect via NetBIOS or do WINS lookups on servers
they are trying to use services on.  A windows box will try to connect on
port 137 if it is trying to access your web server.  I dump all that traffic
at my border router.

That name is a poor choice for any box in any case.

Jason Lewis
http://www.packetnexus.com
http://www.packetnexus.com/kb/greyarts/
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.



-----Original Message-----
From: Simos Xenitellis [mailto:simosat_private]
Sent: Saturday, May 26, 2001 6:47 PM
To: INCIDENTSat_private
Subject: Scanning from a "intruder.rs88.net"?



Dear All,
	Checking my logfiles, I noticed that the IP
208.50.149.200 (intruder.rs88.net) came up several times.
To be precise:
(time is in GMT+0000)

May 20 11:51:26 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=3981 PROTO=UDP SPT=137
DPT=137 LEN=58
May 20 11:51:28 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=10381 PROTO=UDP SPT=137
DPT=137 LEN=58
May 21 12:39:24 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=38375 PROTO=UDP SPT=137
DPT=137 LEN=58
May 21 12:39:26 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=45287 PROTO=UDP SPT=137
DPT=137 LEN=58
May 22 13:40:34 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=11946 PROTO=UDP SPT=137
DPT=137 LEN=58
May 25 19:29:13 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=30730 PROTO=UDP SPT=137
DPT=137 LEN=58
May 15 04:54:06 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=15511 PROTO=UDP SPT=137
DPT=137 LEN=58
May 15 04:54:09 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=38039 PROTO=UDP SPT=137
DPT=137 LEN=58
May 16 06:32:21 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=65464 PROTO=UDP SPT=137
DPT=137 LEN=58
May 16 06:32:24 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=16057 PROTO=UDP SPT=137
DPT=137 LEN=58
May 19 10:22:44 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=56924 PROTO=UDP SPT=137
DPT=137 LEN=58

I would not be worried about it if www.rs88.net did not have the text of
"permission-based marketing on the Internet, sending personalized messages
from companies to their customers".

I sent them an e-mail to their "abuse" e-mail account but did not receive
an explanation (over a week ago).

simos

    This archive was generated by hypermail 2b30 : Sun May 27 2001 - 09:05:00 PDT