('binary' encoding is not supported, stored as-is) In-Reply-To: <DC97518EF1B5E3418A86F59A9A58035D036F9A4Aat_private> I have noticed the same packets. They get in because they are the response to a packet that went OUT. your internal machine initiates the connection to outside (querying a netbios name server ?) and of course it gets a reply back. i am still indagating myself. at first i was thinking it was a "real" attack, like if i had a trojan and i was attacking the remote. but it looks more like a tentative to query the remote machine for its name. I also posted a message on the snort user group, since it started after I have started using ACID to analyze snort's logs. and it happens all the times with addresses that can't be resolved... as if, after giving up with the dns queries, the acid application (running on windows) tries to contact the host directly to see if it can resolve its name via netbios. of course a packet goes out, and THAT packet you noticed comes back to the internal machine.... but... is that really so ? let me know as well if you find out more, plz. I am still researching on it aswell. might be a false positive, but might also be that we are compromised... Best Regards, Daniele >Received: (qmail 30067 invoked from network); 18 Oct 2002 23:58:23 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 18 Oct 2002 23:58:23 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 6243EA3116; Fri, 18 Oct 2002 16:36:07 -0600 (MDT) >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 28102 invoked from network); 18 Oct 2002 13:58:33 -0000 >Message-ID: <DC97518EF1B5E3418A86F59A9A58035D036F9A4Aat_private> >From: "Wisniewski, Michael" <wizat_private> >To: "'incidentsat_private'" <incidentsat_private> >Subject: a different, stranger port 137 activity >Date: Fri, 18 Oct 2002 09:23:48 -0500 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2656.59) >Content-Type: text/plain > > > We've been experiencing a lot of strange port 137 traffic from one >of our IP's behind our firewall to somewhere offsite. I've been trying to >track it down but I have been unsuccessful at it. Anyways, I've noticed >earlier postings about port 137 traffic and they posted the packets, which >look similar to mine. But, when I looked at the machine, the machine didn't >have any of the files associated with that virus/trojan. I did a tcpdump >and the results are posted below. Both of the machines are behind the >firewall and port 137 is not open. Now all this was happening to a web >server / real audio server for awhile now. When I plugged my laptop in to >do the dump, I got the following information. The weird part about it is >that it was mostly directed at my laptop as opposed to an IP on their >network. The times for all the packets are listed below. The packets, for >the most part, look about the same. Here are the times this occurs... > >[The IP is 65.209.25.3 number, my laptop is [my laptop ip], and internal web >server is the internal real audio/web server] > >14:43:30 > ip to my laptop >14:43:31 > my laptop to ip >14:43:33 > my laptop to ip >14:43:34 > my laptop to ip >14:45:36 > ip to internal web server >15:00:38 > ip to my laptop >15:02:44 > ip to internal web server > > >14:43:30.804208 65.209.25.3.137 > [my laptop ip].137: >>>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; BROADCAST >0x0000 4500 004c 0e51 0000 7011 56ed 41d1 1903 E..L.Q..p.V.A... >0x0010 9289 f805 0089 0089 0038 0a8c 0203 09f9 .........8...... >0x0020 0000 6039 0000 0d26 8076 1903 c159 9149 ..`9...&.v...Y.I >0x0030 b0f3 35f0 4141 4141 4100 0021 c159 8de0 ..5.AAAAA..!.Y.. >0x0040 aa28 a1e0 c159 9162 a944 6738 .(...Y.b.Dg8 >14:43:31.611945 [my laptop ip].137 > 65.209.25.3.137: >>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST >0x0000 4500 004e 0896 0000 8011 4ca6 9289 f805 E..N......L..... >0x0010 41d1 1903 0089 0089 003a 5a15 80b6 0000 A........:Z..... >0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA >0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA >0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!.. >14:43:33.110058 [my laptop ip].137 > 65.209.25.3.137: >>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST >0x0000 4500 004e 0897 0000 8011 4ca5 9289 f805 E..N......L..... >0x0010 41d1 1903 0089 0089 003a 5a14 80b7 0000 A........:Z..... >0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA >0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA >0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!.. >14:43:34.612213 [my laptop ip].137 > 65.209.25.3.137: >>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST >0x0000 4500 004e 0898 0000 8011 4ca4 9289 f805 E..N......L..... >0x0010 41d1 1903 0089 0089 003a 5a13 80b8 0000 A........:Z..... >0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA >0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA >0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!.. > > > Any help would be greatly appreciated! I just don't quite >understand how this IP is getting through our firewall since there are no >conduits open on port 137. Thanks in advance! > >Mike > >-------------------------------------------------------------------------- -- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 01:26:56 PDT