RE: Scanning from a "intruder.rs88.net"?

From: James Friesen (lucretiaat_private)
Date: Mon May 28 2001 - 08:15:36 PDT

Next message: Brian Mitchell: "Re: Timing of DoS and Intrusion attempts."

Previous message: Patrick Andry: "Timing of DoS and Intrusion attempts."
In reply to: Simos Xenitellis: "RE: Scanning from a "intruder.rs88.net"?"
Reply: Jonathan Bloomquist: "Re: Scanning from a "intruder.rs88.net"?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is simply MS services trying to do name searches using WINS resolution.
Disable NetBIOS if you want to eliminate these messages.

It woule be nice if these packets could turn themselves off past the router.


>:> -----Original Message-----
>:> From: Simos Xenitellis [mailto:simosat_private]
>:> Sent: Sunday, May 27, 2001 4:39 PM
>:> To: Jason Lewis
>:> Cc: INCIDENTSat_private
>:> Subject: RE: Scanning from a "intruder.rs88.net"?
>:>
>:>
>:> On Sun, 27 May 2001, Jason Lewis wrote:
>:>
>:> > What is running on the machine these logs came from?  Web, DNS, FTP?
>:> >
>:> > Microsoft boxes attempt to connect via NetBIOS or do WINS
>:> lookups on servers
>:> > they are trying to use services on.  A windows box will try
>:> to connect on
>:> > port 137 if it is trying to access your web server.  I dump
>:> all that traffic
>:> > at my border router.
>:>
>:> It is not a WWW server.
>:> It appears to have ports 22 and 80 firewalled.
>:>
>:> simos
>:>

Next message: Brian Mitchell: "Re: Timing of DoS and Intrusion attempts."
Previous message: Patrick Andry: "Timing of DoS and Intrusion attempts."
In reply to: Simos Xenitellis: "RE: Scanning from a "intruder.rs88.net"?"
Reply: Jonathan Bloomquist: "Re: Scanning from a "intruder.rs88.net"?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 12:37:30 PDT