Possible probe of port 137 using udp 50?????
From: Stefan Osterlitz (ostrlitz@blox.de)Date: 08/14/01
- Previous message: Matthew Pemble: "RE: DNS Question"
- Next in thread: Skinner, Kit: "RE: Possible probe of port 137 using udp 50?????"
- Maybe reply: Skinner, Kit: "RE: Possible probe of port 137 using udp 50?????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stefan Osterlitz" <ostrlitz@blox.de> To: <SECURITY-BASICS@securityfocus.com> Subject: Possible probe of port 137 using udp 50????? Date: Tue, 14 Aug 2001 19:29:41 +0200 Message-ID: <C5FEADB4FB3EE543959CE43DEE2ABE4E35F3@trendserver.blox.blox.ag>
Hi Everybody,
Just got a quick question. I was reviewing logs on my shadow box
and noticed that for a period of a couple hours we had packet
conversation
between two hosts ( one local and one remote ) through port 137 using
udp
50. My PIX acl's dont have any ruleset to allow this network in at
all
except through say port 80 to our web servers. Is this a known attack
or
probe? Thanks.
This should not get thru if your firewall is well configured.
UDP 50 is a port for IPSEC (virtual private networking).
Win2K Machines send them when they try to establish a secure
connection.
what do you mean by "through udp 50"?
137 --> udp 50 tunnel --> somewhere else ?
(tcp?) 137 --> udp 50 ?
udp 50 --> ?
Try to post a line from your packet log, please.
Stefan Osterlitz
- Previous message: Matthew Pemble: "RE: DNS Question"
- Next in thread: Skinner, Kit: "RE: Possible probe of port 137 using udp 50?????"
- Maybe reply: Skinner, Kit: "RE: Possible probe of port 137 using udp 50?????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
