On Tue, Jan 28, 2003 at 12:28:33PM -0300, Gkruel wrote: > I?ve noticed that since 01/24 00:14 GMT -0200, til today, different IP?s > started to scan my whole network for UDP port 135. > They send one packet each 30 seconds, one for each IP of my whole range. > The source IP?s are different from any IP sending the slammer worm for me, > so it doesn?t seem to have any relation. It's not a scan. It's spam. They've figured out that they can send "pop-up" alerter messages to open Windows boxen in a single UDP packet so they're laying back and firing at will. I heard a report of one such spammer firing off at 5 Mbps continuous. Only reason he was tracked back was that his ISP doesn't allow spoofed packets (HINT TO THE REST OF YOU) and so the source addresses were legit. I actually have some sample packets in hand (some captured in the wild some provided to me) and they even work when transmitted to broadcast addresses and "network addresses" (the all zeros address) (SECOND HINT - BLOCK DIRECTED BROADCASTS AND SUBNET ADDRESSES). Net (excuse the pun) result is that if you have vulnerable hosts on a network, they get three for the price of one as these chumps hit first your network address, then the unicast address, then the broadcast address. Microsoft even has a KB article on it. <http://support.microsoft.com/?id=330904> They now recommend blocking numerous Netbios/Windows related ports. Not enough, yet, considering MS-SQL Spida and now MS-SQL Slammer. Add 1433 and 1434 to the list they provide in their KB article, I guess. :-( Oh, the article predates the trick the spammers figured out where they only need one packet and can spoof the source. The article was when there was three or four packets and some handshaking. It's gotten MUCH worse since then. > Here are some of them: > - 208.62.233.151 > - 67.34.191.69 > - 65.217.17.36, 44, and 45 > I?m used to receive tons of UDP 137, on random IP?s, but never to my whole > IP range. UDP 137 is mostly OpaServ and related MSTDs (MicroSoft Transmitted Diseases). I'm capturing piles of them in my honeypots. :-( The various OpaServ varients lead the pack by and order of magnitude, beating out even Nimda in netbios share propagation (which is in second place). > Is it some other simple probe directed specifically to me, and i?m > overreacting, or maybe something else? UDP 135 is used by MS Exchange > (portmapper)... And supports the Netbios alerter service which is used for administrative pop-up messages. Old news. Just getting worse. > Thanks Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 09:11:34 PST