Security Incidents mailing list archives

Re: udp traffic to port 137

From: saraceno () LL MIT EDU (Robert Saraceno, Jr.)
Date: Mon, 22 May 2000 09:13:35 -0400


These may be legit. If those machines they are trying to connect to are not
registered via DNS, then some web servers eventually resort to NetBIOS to
resolve "hostnames".

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of tobias wigand
Sent: Friday, May 19, 2000 5:17 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: udp traffic to port 137

hello all!

our firewall rejects this kind of traffic dayly along with with some normal
netbios traffic from port 137 to port 137.
i first thought of a misconfiguration of the firewall as all netbios ports
should be filtered. but my packet sniffer showed up that no packets are
leaving our lan.
does anyone know under which circumstances some machine would produce such
traffic?
are these portscans or just normal netbios connection attempts?

fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=57649 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=10546 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 209.176.2.71:21
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=18482 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=19955 F=0x0000 T=107 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=23539 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 208.178.128.145:16458
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=26355 F=0x0000 T=106 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=4611 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=13317 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:463
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=29703 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=1273 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=25851 F=0x0000 T=108 (#104)
fw kernel: Packet log: input REJECT eth0 PROTO=17 128.177.244.100:221
xxx.xxx.xxx.xxx:137 L=78 S=0x00 I=37373 F=0x0000 T=108 (#104)

thanks for your help
tobias

Current thread:

udp traffic to port 137 tobias wigand (May 19)
- network.exe -- was -- Re: udp traffic to port 137 Walt (May 20)
- Hmmm... named again. Bugtraq List (May 22)
- Slow scan Jens Hektor (May 22)
  - Re: Slow scan, the rest of the story Jens Hektor (May 24)
- Re: udp traffic to port 137 Robert Saraceno, Jr. (May 22)