logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

a different, stranger port 137 activity: msg#00176

security.incidents

Subject: a different, stranger port 137 activity


We've been experiencing a lot of strange port 137 traffic from one
of our IP's behind our firewall to somewhere offsite. I've been trying to
track it down but I have been unsuccessful at it. Anyways, I've noticed
earlier postings about port 137 traffic and they posted the packets, which
look similar to mine. But, when I looked at the machine, the machine didn't
have any of the files associated with that virus/trojan. I did a tcpdump
and the results are posted below. Both of the machines are behind the
firewall and port 137 is not open. Now all this was happening to a web
server / real audio server for awhile now. When I plugged my laptop in to
do the dump, I got the following information. The weird part about it is
that it was mostly directed at my laptop as opposed to an IP on their
network. The times for all the packets are listed below. The packets, for
the most part, look about the same. Here are the times this occurs...

[The IP is 65.209.25.3 number, my laptop is [my laptop ip], and internal web
server is the internal real audio/web server]

14:43:30 > ip to my laptop
14:43:31 > my laptop to ip
14:43:33 > my laptop to ip
14:43:34 > my laptop to ip
14:45:36 > ip to internal web server
15:00:38 > ip to my laptop
15:02:44 > ip to internal web server


14:43:30.804208 65.209.25.3.137 > [my laptop ip].137:
>>> NBT UDP PACKET(137): OPUNKNOWN; REQUEST; BROADCAST
0x0000 4500 004c 0e51 0000 7011 56ed 41d1 1903 E..L.Q..p.V.A...
0x0010 9289 f805 0089 0089 0038 0a8c 0203 09f9 .........8......
0x0020 0000 6039 0000 0d26 8076 1903 c159 9149 ..`9...&.v...Y.I
0x0030 b0f3 35f0 4141 4141 4100 0021 c159 8de0 ..5.AAAAA..!.Y..
0x0040 aa28 a1e0 c159 9162 a944 6738 .(...Y.b.Dg8
14:43:31.611945 [my laptop ip].137 > 65.209.25.3.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
0x0000 4500 004e 0896 0000 8011 4ca6 9289 f805 E..N......L.....
0x0010 41d1 1903 0089 0089 003a 5a15 80b6 0000 A........:Z.....
0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!..
14:43:33.110058 [my laptop ip].137 > 65.209.25.3.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
0x0000 4500 004e 0897 0000 8011 4ca5 9289 f805 E..N......L.....
0x0010 41d1 1903 0089 0089 003a 5a14 80b7 0000 A........:Z.....
0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!..
14:43:34.612213 [my laptop ip].137 > 65.209.25.3.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
0x0000 4500 004e 0898 0000 8011 4ca4 9289 f805 E..N......L.....
0x0010 41d1 1903 0089 0089 003a 5a13 80b8 0000 A........:Z.....
0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!..


Any help would be greatly appreciated! I just don't quite
understand how this IP is getting through our firewall since there are no
conduits open on port 137. Thanks in advance!

Mike

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: HTTP attack looking for /sumthin ?, Patrick Oonk
Next by Date:  Re: apache problem, Stephen Smoogen
Previous by Thread:  Thanks on NetBios DoSing..., Nicholas C. Weaver
Next by Thread:  Re: a different, stranger port 137 activity, H C
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation