Re: Source 126.0.0.1 UDP/137
From: D Sanchez (crypto-map_at_cox.net)
Date: 05/14/03
- Previous message: Aaron Cheek: "tcp/554 scans"
- In reply to: jlepich_at_fidmail.com: "Source 126.0.0.1 UDP/137"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <jlepich@pcrmc.com> Date: Tue, 13 May 2003 22:45:16 -0700
That's a signature of the worm network.vbs scanning over TCP137. Make sure
you're not allowing netbios (137...) un-established inbound from the
internet on your firewall. The reason you're seeing it on the firewall is
because its it probably following the default route (0.0.0.0 0.0.0.0) out to
the internet since you don't have a route for this network. check your
router by showing route for 126.0.0.0, if you don't have a route for this,
chances are that the default route on your network is pointed at your
firewall's inside interface. shut down netbios on the inside interface of
the firewall too. Scan all inside hosts for virus, you'll find an infected
one. you must be using windows.
http://www.sans.org/resources/idfaq/port_137.php
http://securityresponse.symantec.com/avcenter/venc/data/vbs.network.html
----- Original Message -----
From: <jlepich@fidmail.com>
To: <incidents@securityfocus.com>
Sent: Friday, May 09, 2003 2:06 PM
Subject: Source 126.0.0.1 UDP/137
> Can anyone tell me what is causing these entries to pop up in my firewall
log?
> On our network we use a 10.x.x.x IP scheme. There is no host with the
address
> of 126.0.0.1 on our network anywhere. I was able to capture this by
sniffing
> the traffic from source 126.0.0.1.
> ............ CKAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAA..!
>
> I have learned that this is a legitimate NetBIOS query.
>
> Here is an excerpt from my firewall log.
>
> Deny udp src inside:126.0.0.1/137 dst outside:3.13.0.10/137
(General
> Electric, NJ USA)
> Deny udp src inside:126.0.0.1/137 dst outside:63.14.0.10/137 (UUNET,
VA,
> USA )
> Deny udp src inside:126.0.0.1/137 dst outside:210.11.0.10/137 (Asia
> Pacific Network Information Centre, AU)
>
> By sniffing the traffic I was able to find get the source MAC address. The
> MAC I got is that of our core router. I have not attempted to track the
source
> beyond that router yet.
>
> -Jesse
> ___________________________________________________________
> Fidelity Communications Webmail - http://webmail.fidnet.com
>
>
>
> --------------------------------------------------------------------------
-- > *** Wireless LAN Policies for Security & Management - NEW White Paper *** > Just like wired networks, wireless LANs require network security policies > that are enforced to protect WLANs from known vulnerabilities and threats. > Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. > > To get your FREE white paper visit us at: > http://www.securityfocus.com/AirDefense-incidents > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
- Previous message: Aaron Cheek: "tcp/554 scans"
- In reply to: jlepich_at_fidmail.com: "Source 126.0.0.1 UDP/137"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
