Port 137 probes

From: Bubsy (pizzapowered@yahoo.com)
Date: 10/01/02


Date: 1 Oct 2002 06:11:42 -0000
From: Bubsy <pizzapowered@yahoo.com>
To: incidents@securityfocus.com


('binary' encoding is not supported, stored as-is)

After I saw that you guys were getting more port 137's than usual, I
looked at my logs. I found that I was also getting far more port 137's
than usual :) so I took a break from what I was doing to see what was up.
The remote port was almost always 1025, and the suspect only sent one
attempt each time. I did the 10 second look on a suspect machine with an
open share and found scrsvr.exe , which I believe to be the culprit, it
seems so cut and dried that I'm not even gonna sandbox it. Read more here -
 
http://vil.mcafee.com/dispVirus.asp?virus_k=99729

Well, there ya go, comes to life ~the 28th, bang boom zoom.

All good things to all good people!

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
  • Re: Identifying Internet Attacks
    ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
    (microsoft.public.inetserver.iis.security)
  • Re: Question about file permissions
    ... system log files. ... the system logs. ... such _may_ offer a better chance of connecting. ... to connect know about the non-standard port. ...
    (alt.os.linux.suse)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)
  • Re: Port 25 Not Open, cant receive mail
    ... I'm not quite sure on which other logs I can check - The event logs just ... the server. ... I also ran a port scan from another PC on the network, ... If there's no 3rd party firewall, I'd run the CEICW one more time, paying ...
    (microsoft.public.windows.server.sbs)