RE: Increase in port 137 scans

From: Joeri (j.j.toet@zonnet.nl)
Date: 10/02/02 

From: "Joeri" <j.j.toet@zonnet.nl>
To: <security-basics@securityfocus.com>
Date: Wed, 2 Oct 2002 18:31:50 +0200

Holy cow! Like 10 over two hours, you say!?! It's more like over two
thousand over the past six hours! Could this be some kind of probe by
that new BugBear virus (http://vil.nai.com/vil/content/v_99728.htm)?
It's said to traverse network shares...

Yours,

Joeri

-----Original Message-----
From: r00t [mailto:sta@woh.rr.com]
Sent: dinsdag 1 oktober 2002 19:59
To: Ferry van Steen; security-basics@securityfocus.com
Subject: Re: Increase in port 137 scans

YES!

I have also noticed a huge increase. For the past 2 days or so my logs
are
filling. Today alone I have had 60+ attempted connections to
137,udp,from
varying ips. Maybe I will take down the wall and sniff a few of these...

Why the sudden increase?

----- Original Message -----
From: "Ferry van Steen" <ferry.van.steen@InfoPart.nl>
To: <security-basics@securityfocus.com>
Sent: Monday, September 30, 2002 6:58 AM
Subject: Increase in port 137 scans

> Hey there,
>
> did anyone else notice a huge increase in port 137 scans (UDP)?
Usually I
> had perhaps 1 a day of those. Now I've seen atleast 10 in the past 2
hours
> alone.
>
> Kind regards,
>
> Ferry van Steen
> InfoPart Automatisering B.V.
> Beeksestraat 24
> 4841 GC Prinsenbeek
> The Netherlands
> Phone: +31 (0)76 - 5 44 04 11
> Fax: +31 (0)76 - 5 41 83 51
> Mobile: +31 (0)6 - 28 46 47 45
> E-Mail (business): ferry.van.steen@infopart.nl
> E-Mail (private): freaky@bananateam.nl
> MSN Messenger: freaky@freaky2000.dyndns.org
> ICQ (UIN (seldom used)): 191458
>
>
>

Relevant Pages

  • Re: at times the draper
    ... port. ... Perry, still handling, treats almost victoriously, as the ... far from the division let alone the infrastructure. ...
    (sci.crypt)
  • Re: [PATCH] Marvell SATA fixes v2
    ... ata_device_add: ata5: probe begin ... mv_phy_reset: S-regs after PHY wake: SStat 0x00000000 SErr 0x00000000 SCtrl 0x00000000 ... abnormal status 0x80 on port 0xF8BA211C ... ata_qc_complete: EXIT ...
    (Linux-Kernel)
  • Port 6635
    ... We received a very fast scan (probe) for port 6635 last night. ... Flare Interactive (NETBLK-SAVV-FLAREINTER2) SAVV-FLAREINTER2 ... Domain System inverse mapping provided by: ...
    (Incidents)
  • Re: How to tell whether a struct file is held by a process?
    ... Yes a "don't probe this port" would make sense. ... The fact kernel space ... "initialize and enumerate", as opposed to calling various drivers' ...
    (Linux-Kernel)
  • Re: TECH: 6.5VAC on ground? (Bally)
    ... Normally you have one probe on ground, for reference, then measure to a ... cable connects to a 9 pin RS232 port on a replacement MPU and the RS232 ... I've tried multiple computers, multiple RS232 cables ... you can't measure AC from a single rail. ...
    (rec.games.pinball)