On Monday, September 30, 2002 9:02 AM, John Sage [SMTP:jsageat_private] wrote: > This has received some mention on the UNISOG list and elsewhere, but > not here. > > Some people have been seeing unusually high volumes of UDP:137 probes > since about 09/27/02 late, or early 09/28/02. A few people (who log sych things) on the Optus cable network in Australia have been seeing it too. In my case since Sep 20 it's gone ... Sep 20 2 hits Sep 21, 22, 23 0 hits Sep 24 3 hits Sep 25 0 hits Sep 26 4 hits Sep 27 2 hits Sep 28 156 hits Starting at 02:20 (Aust. EST) Sep 29 410 hits Sep 30 406 hits up until 18:24 > > Funny facts: almost no duplication of source IP address, unless the > source IP is very close to your own. Same here. > > Packet contents seem to be "normal". Yep. Look normal here too. > > ACID summaries for my dialup into AT&T's Seattle WA POP follow. > > One list is sorted by date-time, the other's sorted by source IP -- > the list sorted by source IP suggests that I'm being probed several times > by IP's in my 12.82.x.x neigborhood, and almost never more than once > by IP's from other netblocks. Almost no duplicates here either. An interesting thing is that there are almost no addresses in my logs that are in .au land. It'd be interesting if someone on a well connected network would configure up a Win95 box as a honeypot and see what happens. For me to do it would probably be a waste of time as Optus blocks most NetBIOS ports. They just omitted to block 137 UDP for some reason. Ooroo Mark Forsyth ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 04:39:52 PDT