Re: [fw-wiz] Help w/ Port 137 Traffic

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 10/13/02 

From: Mikael Olsson <mikael.olsson@clavister.com>
To: "Paul D. Robertson" <proberts@patriot.net>
Date: Sun Oct 13 11:12:17 2002

(The horse is dead and starting to decompose, but I stubbornly keep
beating it for some reason I have yet to figure out.)

"Paul D. Robertson" wrote:
>
> By "sequence" I meant "Do name lookup, then go enumerate shares."
> Depending on what the worm is written with, there could be a
> "go_check_for_shares()" that does a name lookup then enumerates the
> shares- sequence being a series of events, not a method.

I just realized why a worm writer might want to contact port 137 first.
Not for reasons of "getting it to work", but just because writing a fast
scanner is a lot easier for UDP (port 137) than it is for TCP (port 139).

TCP scanning means keeping lots of sockets active if you want to
do it fast. UDP scanning using sendto()/recvfrom() calls is fast
and only requires a single socket.

Hence, I'd venture a guess that the port 137 probe is just that: a
probe. If it gets a response, it hits port 139, where the really
juicy stuff is.

$.02 (and just a general guess; I'm not saying that this is what
      f.i. BugBear does.) 

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

Relevant Pages

  • Re: Bird Flu - Scotland
    ... what was Britain's fastest growing port. ... Have you got your poultry in yet? ... No reason to do that yet as you would know if you had the smallest clue. ... Jill claims to run a business - and one with considerable ...
    (uk.business.agriculture)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... which each have a local source port above 1024 opened outgoing to port 80 ... Windows Messenger? ... UDP packets from that IP have been MSN/Windows messenger spam (which is ...
    (comp.security.firewalls)
  • Re: Craigslist Bouncing Me - Non-generic DNS
    ... You do not need to use TCP source port 25, but you do need TCP destination port 25. ... It is systems that have become infected with a worm / virus of some sort that has its own SMTP engine in it that is sending the majority of the spam. ... The only reason I mentioned the mail servers is so that they people running them, be it hobbyist or businesses, could state that they will take responsibility for their systems and to request bypassing of the default outgoing destination port 25 block. ...
    (comp.mail.sendmail)
  • Re: "Dont panic"?
    ... have some other legitimate reason for scanning your network. ... While port scanning is a waste ... > cyberworld is fraught with danger. ... a port scan reports back to an ISP a lot of people time and network bandwidth ...
    (comp.security.ssh)
Loading