Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Strange logs

Re: Strange logs

From: Fabio Pietrosanti (naif) <naif_at_INET.IT>
Date: Tue, 2 Jan 2001 13:30:17 +0100

If you look on www.microsoft.com details about Microsoft resolver...
you'll see that when it lookup for a netbios name:

first check lmhosts
then check broadcast
then check wins server
then check dns

so, when he finally check dns server, it is still using src_port:137 .

Pietrosanti Fabio I.NET SpA, High Quality Access to the Internet
e-mail: naif_at_inet.it ( Direzione Tecnica, Security Staff )
         firewall_at_inet.it
PGP Key (DSS) http://naif.itapac.net/naif.asc

Home Page URL: http://www.inet.it
Sede: Via Darwin, 85 20019 Settimo Milanese (MI)
Tel: 02-328631 Fax: 02-328637701 

--
Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS
On Mon, 1 Jan 2001, Devdas Bhagat wrote:
> I am getting UDP packets from port 137 on various machines to port 53
> on my secondary nameserver.
>
> Jan  1 19:00:02 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> remote ip:137 my_ip:53 L=61 S=0x00 I=62548 F=0x0000 T=222 (#21)
>
> Jan  1 19:00:03 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> remote_ip:137 my_ip:53 L=61 S=0x00 I=56959 F=0x0000 T=127 (#21)
>
> Jan 1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip2:137 my_ip:53 L=61 S=0x00 I=62804 F=0x0000 T=222 (#21)
>
> Jan  1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> remote_ip:137 my_ip:53 L=61 S=0x00 I=58239 F=0x0000 T=127 (#21)
>
> Jan  1 19:00:05 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip2:137 my_ip:53 L=61 S=0x00 I=63060 F=0x0000 T=222 (#21)
>
> Jan  1 19:00:07 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> remote_ip:137 my_ip:53 L=61 S=0x00 I=60799 F=0x0000 T=127 (#21)
>
> Jan  1 19:00:08 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip3:137 my_ip:53 L=61 S=0x00 I=58702 F=0x0000 T=126 (#21)
>
> Jan  1 19:00:09 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> remote_ip:137 my_ip:53 L=61 S=0x00 I=61311 F=0x0000 T=127 (#21)
>
> Jan  1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip3:137 my_ip:53 L=61 S=0x00 I=62286 F=0x0000 T=126 (#21)
>
> Jan  1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> remote_ip:137 my_ip:53 L=61 S=0x00 I=61823 F=0x0000 T=127 (#21)
>
> Jan  1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip2:137 my_ip:53 L=60 S=0x00 I=64340 F=0x0000 T=222 (#21)
>
> Jan  1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip3:137 my_ip:53 L=61 S=0x00 I=64334 F=0x0000 T=126 (#21)
>
> Jan  1 19:00:13 ns2 kernel: Packet log: input DENY eth0 PROTO=17
> rem_ip2:137 my_ip:53 L=60 S=0x00 I=64596 F=0x0000 T=222 (#21)
>
>
> These have been coming continuously since morning (about 9 hrs now), and
> currently form half my logfile (rotated on Sunday at 4 am). No such
> traces on the primary nameserver, and I use the same rules on both. Any
> explanations of what this could be?
> An attempted exploit or just a misconfigured File and Print share
> (given the originating port)?
>
> Devdas Bhagat
> --
> Age, n.:
> 	That period of life in which we compound for the vices that we
> 	still cherish by reviling those that we no longer have the enterprise
> 	to commit.
> 		-- Ambrose Bierce
>
Received on Jan 02 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos