Port 137 probes

From: Bubsy (pizzapowered@yahoo.com)
Date: 10/01/02

Date: 1 Oct 2002 06:11:42 -0000
From: Bubsy <pizzapowered@yahoo.com>
To: incidents@securityfocus.com

('binary' encoding is not supported, stored as-is)

After I saw that you guys were getting more port 137's than usual, I
looked at my logs. I found that I was also getting far more port 137's
than usual :) so I took a break from what I was doing to see what was up.
The remote port was almost always 1025, and the suspect only sent one
attempt each time. I did the 10 second look on a suspect machine with an
open share and found scrsvr.exe , which I believe to be the culprit, it
seems so cut and dried that I'm not even gonna sandbox it. Read more here -

Well, there ya go, comes to life ~the 28th, bang boom zoom.

All good things to all good people!

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
  • Re: Identifying Internet Attacks
    ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
  • Re: Question about file permissions
    ... system log files. ... the system logs. ... such _may_ offer a better chance of connecting. ... to connect know about the non-standard port. ...
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
  • Re: Port 25 Not Open, cant receive mail
    ... I'm not quite sure on which other logs I can check - The event logs just ... the server. ... I also ran a port scan from another PC on the network, ... If there's no 3rd party firewall, I'd run the CEICW one more time, paying ...