Re: Sudden torrent of ZoneAlarm alerts re: UDP port 137 - Any ideas?

From:
Date: 09/30/02


Date: Mon, 30 Sep 2002 01:16:01 GMT

Hello All,
        The port 137 UDP attemps are being reported by many others in
different NG's. I'm seeing the
same thing in my logs also.I'm seeing a range of source ports from 1024
to 1028 and 1 on 1032.I'm am also getting some from my own domain and
also alot from Asia. This started saturday morning and has picked up
since. here is a link to some info on the rise of Port 137 scans.
http://isc.incidents.org/
"2002-Sep-29... current status: green Yet another mod_ssl worm (analysis
coming soon). Scans for port 137 on the rise." Quoted from internet
storm center.
Regards,
Tie Dye

"JMSteele" <jmsteele@qwest.net> wrote in message
news:73d56acc.0209291549.6ac620f@posting.google.com...
> In the past 72 hours I've received a near constant (we're talking
> hundreds) stream of ZA alerts regarding attempts to access UDP port
> 137. While many of these are repeat scanning attempts originating from
> a handful of IPs from within my own qwest.net domain, most are from
> unique IPs from domains all over the globe. Almost all of the source
> IPs are using port 1025 or 1026.
>
> I've had this account and operated ZoneAlarm for well over a year and
> this has never happened previously. Ran Trojan Remover and found
> nothing, but still can't help but being paranoid.
>
> Any ideas on what this might be?
>
> Thanks

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/02



Relevant Pages

  • Re: Whats the point of not allowing all outgoing traffic by default?
    ... some idea of how source ports are used. ... The normal mode is that the next UNUSED port above 1024 ... These are used by quite a number of mail server to reduce the amount ... and application filtering ONLY works on the originating ...
    (comp.security.firewalls)
  • RE: [fw-wiz] NAPT - NAT Port selection
    ... If the destination IP address is different, a port forwarder on the receiving ... The limit of 64K is for source ports per sourceaddress:destination IP:port ... NAPT devices allow access to internet by internal machines having ...
    (Firewall-Wizards)
  • Re: NMAP Concurrent Scans
    ... closing a connection on target machine will it not ... Assuming nmap is using random source ports, ... 4-tuple (source ip, dest ip, source port, dest port) will be identical. ... this 4-tuple is what uniquely indentifies a connection. ...
    (Pen-Test)
  • Re: Sudden torrent of ZoneAlarm alerts re: UDP port 137 - Any ideas?
    ... > same thing in my logs also.I'm seeing a range of source ports from 1024 ... here is a link to some info on the rise of Port 137 scans. ... >> unique IPs from domains all over the globe. ...
    (comp.security.firewalls)
  • RE: ICMP (Ping)
    ... Why do you assume that out of millions of Ips that respond, ... > almost) running a port scan those that reply. ... replies from a ping request. ... IP ranges with no target in mind, ...
    (Security-Basics)