UDP/137 scans -- new worm?

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 05/15/03

  • Next message: Devilscrow Sr: "Re: Folllow-up to the Hotmail/MSN password reset problems"
    To: <incidents@securityfocus.com>
    Date: Wed, 14 May 2003 16:19:40 -0700
    
    

      The number of machines probing every IP in our range
    with UDP/137 seems to be up substantially today, to the
    point where it's practically DoSsing some of our gateway
    equipment.

      These are not routine Windows/NetBIOS activity. Although
    the "Packet was broadcast" flag is set in the NetBIOS header,
    they are in fact being sent unicast. The source port in my
    captured samples is always the same for any given source
    address.

      The FCS/Checksum is always wrong. It seems to be random,
    which argues for a tool that doesn't care about setting it
    rather than that the address/etc has been spoofed.

      Are other people seeing this? Anyone know what's causing it?

    David Gillett

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------


  • Next message: Devilscrow Sr: "Re: Folllow-up to the Hotmail/MSN password reset problems"