Security Incidents: Re: Connection to port 137

[Darryl Luff <DLuff () IITSCDM COM AU>]

Hi there,

We had 600 of these scans in the first two weeks of November. I haven't
counted them up lately but they seem to be increasing every day. If you
check the source address (net view \\ip.address), I think you'll find a
windows machine with a writeable share published to the internet. The ones
I've looked at have been infected with one of the automated worms currently
doing the rounds. These things are a bit of a worry, just from the amount of
traffic they cause. Every infected machine starts automatically scanning
random IP's looking for new victims, and infecting the ones it finds, so the
traffic increases daily.

There was a link to a good writeup on these worms published recently either
here or on the firewalls list, but I've lost the URL.

Unless you allow these ports in to any of your machines, or have windows
machines unprotected outside the firewall, I think the traffic problem is
worse than the security problem.

> -----Original Message-----
> From: Marco Bizzarri [SMTP:m.bizzarri () ICUBE IT]
> Sent: Thursday, November 23, 2000 1:39 AM
> To:   INCIDENTS () SECURITYFOCUS COM
> Subject:      Connection to port 137
>
> Hi all.
>
> I'm seeing a lot of udp activity coming from internet ip on port 137 to
> port 137 of our firewall. Is this normal, or I should start worring?
>
> Here's a sample:
>
> Nov 22 14:44:20 brontolo kernel: Packet log: ext-if DENY eth2 PROTO=17
> y.y.y.y:137 x.x.x.x:137 L=78 S=0x00 I=10984 F=0x0000 T=120 (#21)
>
> Any suggestion?
>
> Bye
> Marco
>
> --
> Marco Bizzarri - Responsabile Tecnico - Icube S.r.l.
> Sede:   Via Ridolfi 15 - 56124 Pisa (PI), Italia
> E-mail: m.bizzarri () icube it                WWW: www.icube.it       
> Tel:  (+39) 050 97 02 07              Fax: (+39) 050 31 36 588