RE: Scanning from a "intruder.rs88.net"?

From: Jason Lewis (jlewisat_private)
Date: Mon May 28 2001 - 13:48:55 PDT

Next message: Patrick Andry: "RE: Timing of DoS and Intrusion attempts."

Previous message: Brian Mitchell: "Re: Timing of DoS and Intrusion attempts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think there is some confusion.  I suggested the scanner
(intruder.rs88.net) was attempting port 137 connections.

The network being scanned does not have to have any NetBIOS services running
for the scanner to look for them.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.

-----Original Message-----
From: Jonathan Bloomquist [mailto:jsbloomat_private]
Sent: Sunday, May 27, 2001 4:33 PM
To: infoat_private; James Friesen; Simos Xenitellis; Jason Lewis
Cc: INCIDENTSat_private
Subject: Re: Scanning from a "intruder.rs88.net"?

On Monday 28 May 2001 11:15, James Friesen wrote:
> This is simply MS services trying to do name searches using WINS
> resolution. Disable NetBIOS if you want to eliminate these messages.
>
> It woule be nice if these packets could turn themselves off past the
> router.

Huh?  My firewall was also scanned by intruder.rs88.net (208.50.149.200) and
I was not trying to perform any kind of WINS resolution.  NetBIOS has no
home
on my network, either.  The only port open on my firewall is 22.  Maybe
M[r/s]. intruder is scanning for ssh servers?

> >:> -----Original Message-----
> >:> From: Simos Xenitellis [mailto:simosat_private]
> >:> Sent: Sunday, May 27, 2001 4:39 PM
> >:> To: Jason Lewis
> >:> Cc: INCIDENTSat_private
> >:> Subject: RE: Scanning from a "intruder.rs88.net"?
> >:>
> >:> On Sun, 27 May 2001, Jason Lewis wrote:
> >:> > What is running on the machine these logs came from?  Web, DNS, FTP?
> >:> >
> >:> > Microsoft boxes attempt to connect via NetBIOS or do WINS
> >:>
> >:> lookups on servers
> >:>
> >:> > they are trying to use services on.  A windows box will try
> >:>
> >:> to connect on
> >:>
> >:> > port 137 if it is trying to access your web server.  I dump
> >:>
> >:> all that traffic
> >:>
> >:> > at my border router.
> >:>
> >:> It is not a WWW server.
> >:> It appears to have ports 22 and 80 firewalled.
> >:>
> >:> simos

Next message: Patrick Andry: "RE: Timing of DoS and Intrusion attempts."
Previous message: Brian Mitchell: "Re: Timing of DoS and Intrusion attempts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 20:55:04 PDT