RE: Unusual volume: UDP:137 probes

From: Joseph R. Gruber (jgruber@tampabay.rr.com)
Date: 09/30/02


From: "Joseph R. Gruber" <jgruber@tampabay.rr.com>
To: "'Scott McGee'" <scottmcgee@adelphia.net>, <incidents@securityfocus.com>
Date: Mon, 30 Sep 2002 17:37:47 -0400

While I am only looking at my home network (tampabay.rr.com) here is a
list of port 137 probes:

Sep 30 (Today up till 5:30PM): 201
Sep 29: 89
Sep 28: 98
Sep 27: 11

Very strange how it's picking up more & more each day

-----Original Message-----
From: Scott McGee [mailto:scottmcgee@adelphia.net]
Sent: Monday, September 30, 2002 12:43 PM
To: incidents@securityfocus.com
Subject: Re: Unusual volume: UDP:137 probes

Seeing the same thing here on Adelphia.net cable modem network:

Sep 18 - 2
Sep 19 - 0
Sep 20 - 0
Sep 21 - 0
Sep 22 - 0
Sep 23 - 1
Sep 24 - 0
Sep 25 - 1
Sep 26 - 2
Sep 27 - 19
Sep 28 - 95
Sep 29 - 146
Sep 30 - 68 up to 9:33 AM PST

Scott

----- Original Message -----
From: "Mark Forsyth" <forsythm@optushome.com.au>
Sent: Monday, September 30, 2002 1:33 AM
Subject: RE: Unusual volume: UDP:137 probes

|
| On Monday, September 30, 2002 9:02 AM, John Sage
| [SMTP:jsage@finchhaven.com] wrote:

| > Some people have been seeing unusually high volumes of UDP:137
probes
| > since about 09/27/02 late, or early 09/28/02.
|
| A few people (who log sych things) on the Optus cable network in
Australia
| have been seeing it too.
| In my case since Sep 20 it's gone ...
| Sep 20 2 hits
| Sep 21, 22, 23 0 hits
| Sep 24 3 hits
| Sep 25 0 hits
| Sep 26 4 hits
| Sep 27 2 hits
| Sep 28 156 hits Starting at 02:20 (Aust. EST)
| Sep 29 410 hits
| Sep 30 406 hits up until 18:24

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Abnormally high Sub-Seven attack rate increase
    ... How did 'probes' from your post become 'attacks' in ... Do you Yahoo!? ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Unicode worm?
    ... Korea (even 2 nights of a couple of hundred probes from an Asian IT ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Mysterious login failures
    ... >> someone trying to access the administrator or other accounts that exist ... >> who can access your computer from the network in Local Security ... > would be that at least one of the probes is coming from someone in a ... > completely different workgroup. ...
    (microsoft.public.win2000.security)
  • Re: Nimda Probes Stopped
    ... Subject: Nimda Probes Stopped ... The probe rate is not going up any more - suggesting some degree of ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: TCP port 5000 syn increasing
    ... > port scans. ... IMHO it has *never* been sufficient to simply count and analyse probes ... The ability to say "12.53 % of unsolicited traffic at my network ... Security Linux, the comprehensive security solution that combines six ...
    (Incidents)