What is running on the machine these logs came from? Web, DNS, FTP? Microsoft boxes attempt to connect via NetBIOS or do WINS lookups on servers they are trying to use services on. A windows box will try to connect on port 137 if it is trying to access your web server. I dump all that traffic at my border router. That name is a poor choice for any box in any case. Jason Lewis http://www.packetnexus.com http://www.packetnexus.com/kb/greyarts/ It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Simos Xenitellis [mailto:simosat_private] Sent: Saturday, May 26, 2001 6:47 PM To: INCIDENTSat_private Subject: Scanning from a "intruder.rs88.net"? Dear All, Checking my logfiles, I noticed that the IP 208.50.149.200 (intruder.rs88.net) came up several times. To be precise: (time is in GMT+0000) May 20 11:51:26 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=3981 PROTO=UDP SPT=137 DPT=137 LEN=58 May 20 11:51:28 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=10381 PROTO=UDP SPT=137 DPT=137 LEN=58 May 21 12:39:24 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=38375 PROTO=UDP SPT=137 DPT=137 LEN=58 May 21 12:39:26 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=45287 PROTO=UDP SPT=137 DPT=137 LEN=58 May 22 13:40:34 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=11946 PROTO=UDP SPT=137 DPT=137 LEN=58 May 25 19:29:13 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=30730 PROTO=UDP SPT=137 DPT=137 LEN=58 May 15 04:54:06 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=15511 PROTO=UDP SPT=137 DPT=137 LEN=58 May 15 04:54:09 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=38039 PROTO=UDP SPT=137 DPT=137 LEN=58 May 16 06:32:21 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=65464 PROTO=UDP SPT=137 DPT=137 LEN=58 May 16 06:32:24 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=16057 PROTO=UDP SPT=137 DPT=137 LEN=58 May 19 10:22:44 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=56924 PROTO=UDP SPT=137 DPT=137 LEN=58 I would not be worried about it if www.rs88.net did not have the text of "permission-based marketing on the Internet, sending personalized messages from companies to their customers". I sent them an e-mail to their "abuse" e-mail account but did not receive an explanation (over a week ago). simos
This archive was generated by hypermail 2b30 : Sun May 27 2001 - 09:05:00 PDT