Hmm, Internode ADSL (Adelaide Aust) 15 hits yesterday, 38 so far today (22:04 GMT+10), 1 from local network yesterday, 5 today. Brett Procter Config Systems Pty Ltd > -----Original Message----- > From: Mark Forsyth [mailto:forsythmat_private] > Sent: Monday, 30 September 2002 6:33 PM > To: incidentsat_private > Subject: RE: Unusual volume: UDP:137 probes > > > On Monday, September 30, 2002 9:02 AM, John Sage > [SMTP:jsageat_private] wrote: > > This has received some mention on the UNISOG list and elsewhere, but > > not here. > > > > Some people have been seeing unusually high volumes of UDP:137 probes > > since about 09/27/02 late, or early 09/28/02. > > A few people (who log sych things) on the Optus cable network in Australia > have been seeing it too. > In my case since Sep 20 it's gone ... > Sep 20 2 hits > Sep 21, 22, 23 0 hits > Sep 24 3 hits > Sep 25 0 hits > Sep 26 4 hits > Sep 27 2 hits > Sep 28 156 hits Starting at 02:20 (Aust. EST) > Sep 29 410 hits > Sep 30 406 hits up until 18:24 > > > > > > Funny facts: almost no duplication of source IP address, unless the > > source IP is very close to your own. > > Same here. > > > > > Packet contents seem to be "normal". > > Yep. Look normal here too. > > > > > ACID summaries for my dialup into AT&T's Seattle WA POP follow. > > > > One list is sorted by date-time, the other's sorted by source IP -- > > the list sorted by source IP suggests that I'm being probed several > times > > by IP's in my 12.82.x.x neigborhood, and almost never more than once > > by IP's from other netblocks. > > Almost no duplicates here either. An interesting thing is that there are > almost no addresses in my logs that are in .au land. > It'd be interesting if someone on a well connected network would configure > up a Win95 box as a honeypot and see what happens. For me to do it would > probably be a waste of time as Optus blocks most NetBIOS ports. They just > omitted to block 137 UDP for some reason. > > Ooroo > Mark Forsyth > > ------------------------------------------------------------------------ -- > -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 13:29:07 PDT