Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Strange logs

Strange logs

From: Devdas Bhagat <devdas_at_worldgatein.net>
Date: Mon, 1 Jan 2001 20:19:24 +0530

I am getting UDP packets from port 137 on various machines to port 53
on my secondary nameserver.

Jan 1 19:00:02 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote ip:137 my_ip:53 L=61 S=0x00 I=62548 F=0x0000 T=222 (#21)

Jan 1 19:00:03 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=56959 F=0x0000 T=127 (#21)

Jan 1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=61 S=0x00 I=62804 F=0x0000 T=222 (#21)

Jan 1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=58239 F=0x0000 T=127 (#21)

Jan 1 19:00:05 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=61 S=0x00 I=63060 F=0x0000 T=222 (#21)

Jan 1 19:00:07 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=60799 F=0x0000 T=127 (#21)

Jan 1 19:00:08 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip3:137 my_ip:53 L=61 S=0x00 I=58702 F=0x0000 T=126 (#21)

Jan 1 19:00:09 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=61311 F=0x0000 T=127 (#21)

Jan 1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip3:137 my_ip:53 L=61 S=0x00 I=62286 F=0x0000 T=126 (#21)

Jan 1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=61823 F=0x0000 T=127 (#21)

Jan 1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=60 S=0x00 I=64340 F=0x0000 T=222 (#21)

Jan 1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip3:137 my_ip:53 L=61 S=0x00 I=64334 F=0x0000 T=126 (#21)

Jan 1 19:00:13 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=60 S=0x00 I=64596 F=0x0000 T=222 (#21)

These have been coming continuously since morning (about 9 hrs now), and
currently form half my logfile (rotated on Sunday at 4 am). No such
traces on the primary nameserver, and I use the same rules on both. Any
explanations of what this could be?
An attempted exploit or just a misconfigured File and Print share
(given the originating port)?

Devdas Bhagat 

--
Age, n.:
	That period of life in which we compound for the vices that we
	still cherish by reviling those that we no longer have the enterprise
	to commit.
		-- Ambrose Bierce
Received on Jan 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos