Re: increase in smb scans

From: Hugo van der Kooij (hvdkooij@vanderkooij.org)
Date: 03/08/02

Previous message: Matt Zimmerman: "Re: sshd: PAM pam_set_item: NULL pam handle passed"
In reply to: Nathan W. Labadie: "increase in smb scans"
Next in thread: Nathan W. Labadie: "Re: increase in smb scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 8 Mar 2002 23:41:59 +0100 (CET)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: Incidents Mailing List <incidents@securityfocus.com>

On Fri, 8 Mar 2002, Nathan W. Labadie wrote:

> Has anyone else noticed a _huge_ increase in SMB scans? I'm seeing sweeps
> of various subnets 5-10 times a day. This started around two weeks ago...
> they appear to be looking for open \\<netbios-name>\C shares. My guess is
> that there looking for machines previously infected with Nimda, but I
> could be wrong. It shows up as "NETBIOS SMB C access" under snort, and
> "Tree Connect AndX Request" when the tpcdump is viewed with ethereal.

What has puzzled me is that I get netbios-ns request from all over the
world on a ADSL link. (Just 1 IP address.) They seem to get in at random
moments from random machines.

This is not what I normally get from netbios-ns. You can have a peek at
this traffic on http://hvdkooij.xs4all.nl/fwlog/ and choose for "Overview
based on: source IP address and destination port" to get a grasp of what I
mean.

This odd thing started from March 4. Before that I see the occasional
bursts from badly configure machines doing netbios name lookups for my
machine instead of using DNS.

To me this does not seem extreemly alarming at the moment but just
something I have not seen before.

Hugo.

-- All email send to me is bound to the rules described on my homepage. hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Matt Zimmerman: "Re: sshd: PAM pam_set_item: NULL pam handle passed"
In reply to: Nathan W. Labadie: "increase in smb scans"
Next in thread: Nathan W. Labadie: "Re: increase in smb scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: should I need WINS?
... You need NetBIOS if you wish to ... support EITHER legacy OS clients OR ... If you use WINS Server then EVERY machine must be ... And since you have only four machines broadcasts are ...
(microsoft.public.windows.server.dns)
Re: Problem with the System Cloning Tool
... You can remove all NetBIOS relates stuff like "NetBIOS over TCP/IP" and ... I think that there should be even intergated support for network sharing ... > no duplicate MAC addresses (the machines use DHCP, ... There were no blue screens or anything that ...
(microsoft.public.windowsxp.embedded)
Re: WINS connection between two SBS baxes
... when you mention 'Netbios issue which is enable on both network cards' ... NETBIOS enabled? ... I have a customer who has two SBS domains linked via a IPSEC VPN ... on both machines the two domains are both listed but I am ...
(microsoft.public.windows.server.sbs)
Re: Do I need WINS?
... My take on the matter is this. ... your machines will default to broadcast mode if NetBios ... > If I add an additional child-domain to the existing forest or another ...
(microsoft.public.windows.server.dns)
Re: LoadLibrary and AfxLoadLibrary
... To find out who loads CRT libraries, you can use depends tool and use profiling feature of it.. ... you will find which DLLs are loaded.. ... (or it happens randomly on random machines)! ... It happens sometimes on some machines, ...
(microsoft.public.vc.mfc)