I think there is some confusion. I suggested the scanner (intruder.rs88.net) was attempting port 137 connections. The network being scanned does not have to have any NetBIOS services running for the scanner to look for them. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Jonathan Bloomquist [mailto:jsbloomat_private] Sent: Sunday, May 27, 2001 4:33 PM To: infoat_private; James Friesen; Simos Xenitellis; Jason Lewis Cc: INCIDENTSat_private Subject: Re: Scanning from a "intruder.rs88.net"? On Monday 28 May 2001 11:15, James Friesen wrote: > This is simply MS services trying to do name searches using WINS > resolution. Disable NetBIOS if you want to eliminate these messages. > > It woule be nice if these packets could turn themselves off past the > router. Huh? My firewall was also scanned by intruder.rs88.net (208.50.149.200) and I was not trying to perform any kind of WINS resolution. NetBIOS has no home on my network, either. The only port open on my firewall is 22. Maybe M[r/s]. intruder is scanning for ssh servers? > >:> -----Original Message----- > >:> From: Simos Xenitellis [mailto:simosat_private] > >:> Sent: Sunday, May 27, 2001 4:39 PM > >:> To: Jason Lewis > >:> Cc: INCIDENTSat_private > >:> Subject: RE: Scanning from a "intruder.rs88.net"? > >:> > >:> On Sun, 27 May 2001, Jason Lewis wrote: > >:> > What is running on the machine these logs came from? Web, DNS, FTP? > >:> > > >:> > Microsoft boxes attempt to connect via NetBIOS or do WINS > >:> > >:> lookups on servers > >:> > >:> > they are trying to use services on. A windows box will try > >:> > >:> to connect on > >:> > >:> > port 137 if it is trying to access your web server. I dump > >:> > >:> all that traffic > >:> > >:> > at my border router. > >:> > >:> It is not a WWW server. > >:> It appears to have ports 22 and 80 firewalled. > >:> > >:> simos
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 20:55:04 PDT