Re: UDP/137 scans -- new worm?

From: Andrew Simmons (andrews@mis-cds.com)
Date: Thu May 15 2003 - 04:09:31 PDT

Next message: Gaby Vanhegan: "BIND Crash"

Previous message: meowbaby: "re: DNS poisoning to Korean address"
In reply to: David Gillett: "UDP/137 scans -- new worm?"
Next in thread: wjnorth: "RE: tcp/554 scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Gillett wrote:
> 
>   The number of machines probing every IP in our range
> with UDP/137 seems to be up substantially today, to the
> point where it's practically DoSsing some of our gateway
> equipment.
> 
>   These are not routine Windows/NetBIOS activity.  Although
> the "Packet was broadcast" flag is set in the NetBIOS header,
> they are in fact being sent unicast.  The source port in my
> captured samples is always the same for any given source
> address.
> 
>   The FCS/Checksum is always wrong.  It seems to be random,
> which argues for a tool that doesn't care about setting it
> rather than that the address/etc has been spoofed.
> 
>   Are other people seeing this?  Anyone know what's causing it?
> 

It's a few days since I checked the incidents.org charts
( http://isc.incidents.org/ ) but something unusual seems to be
going on - unless the "others" definition includes IRC scanning
from the Fizzer virus? They show port 139 (NetBIOS ssn) trending
up, but no mention of 137.

\a

> David Gillett
> 

The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723410.

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Gaby Vanhegan: "BIND Crash"
Previous message: meowbaby: "re: DNS poisoning to Korean address"
In reply to: David Gillett: "UDP/137 scans -- new worm?"
Next in thread: wjnorth: "RE: tcp/554 scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 16 2003 - 03:38:29 PDT