FYI: Over the weekend we noticed a significant increase in scanning for port 137 (UDP). These scans are distributed across the network and each packet looks the same. I have posted a packet capture and some scan data below. Here are the numbers I am seeing for port 137 scans: 24 Sep -> 0 25 Sep -> 0 26 Sep -> 0 27 Sep -> 137 28 Sep -> 1744 29 Sep -> 3152 30 Sep -> 4029 w/six hours left (GMT) Most of src ips belong to ISPs (cable/dsl/dialup providers) all over the world. This example is from an .edu (basically one big ISP ;) ). Any insight to whether the acty is malicious (recently released exploit/scanner/worm/etc) or broken code from our favorite monopoly is appreciated. The packet appears to be a standard nbname query except the broadcast bit is set and the src port != 137. Bammkkkk 0x0000: 00 A0 8E 40 62 5A 00 30 A3 10 C8 01 08 00 45 00 ...@bZ.0......E. 0x0010: 00 4E 95 BD 00 00 74 11 99 07 80 F8 3B 6F A2 12 .N....t.....;o.. 0x0020: B9 60 04 02 00 89 00 3A A3 CB 01 00 00 10 00 01 .`.....:........ 0x0030: 00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41 ...... CKAAAAAAA 0x0040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0x0050: 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!.. 2002-09-30 18:24:01+00 | 128.248.59.111 | 1026 | 162.18.185.255 | 137 | 17 | UDP 2002-09-30 18:24:01+00 | 128.248.59.111 | 1026 | 162.18.185.253 | 137 | 17 | UDP 2002-09-30 18:23:59+00 | 128.248.59.111 | 1026 | 162.18.185.245 | 137 | 17 | UDP 2002-09-30 18:23:59+00 | 128.248.59.111 | 1026 | 162.18.185.243 | 137 | 17 | UDP 2002-09-30 18:23:59+00 | 128.248.59.111 | 1026 | 162.18.185.240 | 137 | 17 | UDP 2002-09-30 18:23:58+00 | 128.248.59.111 | 1026 | 162.18.185.237 | 137 | 17 | UDP 2002-09-30 18:23:58+00 | 128.248.59.111 | 1026 | 162.18.185.236 | 137 | 17 | UDP 2002-09-30 18:23:58+00 | 128.248.59.111 | 1026 | 162.18.185.234 | 137 | 17 | UDP 2002-09-30 18:23:57+00 | 128.248.59.111 | 1026 | 162.18.185.232 | 137 | 17 | UDP 2002-09-30 18:23:57+00 | 128.248.59.111 | 1026 | 162.18.185.227 | 137 | 17 | UDP 2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.225 | 137 | 17 | UDP 2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.223 | 137 | 17 | UDP 2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.221 | 137 | 17 | UDP 2002-09-30 18:23:56+00 | 128.248.59.111 | 1026 | 162.18.185.220 | 137 | 17 | UDP 2002-09-30 18:23:55+00 | 128.248.59.111 | 1026 | 162.18.185.218 | 137 | 17 | UDP 2002-09-30 18:23:55+00 | 128.248.59.111 | 1026 | 162.18.185.215 | 137 | 17 | UDP 2002-09-30 18:23:55+00 | 128.248.59.111 | 1026 | 162.18.185.213 | 137 | 17 | UDP 2002-09-30 18:23:54+00 | 128.248.59.111 | 1026 | 162.18.185.211 | 137 | 17 | UDP 2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.206 | 137 | 17 | UDP 2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.203 | 137 | 17 | UDP 2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.202 | 137 | 17 | UDP 2002-09-30 18:23:53+00 | 128.248.59.111 | 1026 | 162.18.185.200 | 137 | 17 | UDP 2002-09-30 18:23:52+00 | 128.248.59.111 | 1026 | 162.18.185.199 | 137 | 17 | UDP 2002-09-30 18:23:52+00 | 128.248.59.111 | 1026 | 162.18.185.198 | 137 | 17 | UDP 2002-09-30 18:23:52+00 | 128.248.59.111 | 1026 | 162.18.185.195 | 137 | 17 | UDP 2002-09-30 18:23:51+00 | 128.248.59.111 | 1026 | 162.18.185.192 | 137 | 17 | UDP 2002-09-30 18:23:51+00 | 128.248.59.111 | 1026 | 162.18.185.189 | 137 | 17 | UDP 2002-09-30 18:23:51+00 | 128.248.59.111 | 1026 | 162.18.185.188 | 137 | 17 | UDP 2002-09-30 18:23:50+00 | 128.248.59.111 | 1026 | 162.18.185.181 | 137 | 17 | UDP 2002-09-30 18:23:50+00 | 128.248.59.111 | 1026 | 162.18.185.180 | 137 | 17 | UDP <snip> -- Bamm (Robert) Visscher Network Security Engineer Ball Corp. http://www.ball.com rvisscherat_private
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 18:52:44 PDT