RE: Unusual volume: UDP:137 probes

From: Brett Procter (Brett.Procterat_private)
Date: Mon Sep 30 2002 - 05:05:28 PDT

Next message: Keith T. Morgan: "RE: Increase in SSH scans"

Previous message: Emeric Miszti: "Re: Unusual volume: UDP:137 probes"
In reply to: Mark Forsyth: "RE: Unusual volume: UDP:137 probes"
Next in thread: Bamm (Robert) Visscher: "RE: Unusual volume: UDP:137 probes"
Next in thread: fingers: "RE: Unusual volume: UDP:137 probes"
Reply: Bamm (Robert) Visscher: "RE: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Hmm,

    Internode ADSL (Adelaide Aust)

  15 hits yesterday, 38 so far today (22:04 GMT+10), 1 from local
network yesterday, 5 today.

  Brett Procter
  Config Systems Pty Ltd

> -----Original Message-----
> From: Mark Forsyth [mailto:forsythmat_private]
> Sent: Monday, 30 September 2002 6:33 PM
> To: incidentsat_private
> Subject: RE: Unusual volume: UDP:137 probes
> 
> 
> On Monday, September 30, 2002 9:02 AM, John Sage
> [SMTP:jsageat_private] wrote:
> > This has received some mention on the UNISOG list and elsewhere, but
> > not here.
> >
> > Some people have been seeing unusually high volumes of UDP:137
probes
> > since about 09/27/02 late, or early 09/28/02.
> 
> A few people (who log sych things) on the Optus cable network in
Australia
> have been seeing it too.
> In my case since Sep 20 it's gone ...
> Sep 20  2 hits
> Sep 21, 22, 23 0 hits
> Sep 24 3 hits
> Sep 25 0 hits
> Sep 26 4 hits
> Sep 27 2 hits
> Sep 28 156 hits Starting at 02:20 (Aust. EST)
> Sep 29 410 hits
> Sep 30 406 hits up until 18:24
> 
> 
> >
> > Funny facts: almost no duplication of source IP address, unless the
> > source IP is very close to your own.
> 
> Same here.
> 
> >
> > Packet contents seem to be "normal".
> 
> Yep. Look normal here too.
> 
> >
> > ACID summaries for my dialup into AT&T's Seattle WA POP follow.
> >
> > One list is sorted by date-time, the other's sorted by source IP --
> > the list sorted by source IP suggests that I'm being probed several
> times
> > by IP's in my 12.82.x.x neigborhood, and almost never more than once
> > by IP's from other netblocks.
> 
> Almost no duplicates here either. An interesting thing is that there
are
> almost no addresses in my logs that are in .au land.
> It'd be interesting if someone on a well connected network would
configure
> up a Win95 box as a honeypot and see what happens. For me to do it
would
> probably be a waste of time as Optus blocks most NetBIOS ports. They
just
> omitted to block 137 UDP for some reason.
> 
> Ooroo
> Mark Forsyth
> 
>
------------------------------------------------------------------------
--
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Keith T. Morgan: "RE: Increase in SSH scans"
Previous message: Emeric Miszti: "Re: Unusual volume: UDP:137 probes"
In reply to: Mark Forsyth: "RE: Unusual volume: UDP:137 probes"
Next in thread: Bamm (Robert) Visscher: "RE: Unusual volume: UDP:137 probes"
Next in thread: fingers: "RE: Unusual volume: UDP:137 probes"
Reply: Bamm (Robert) Visscher: "RE: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 13:29:07 PDT