Scan or just silly behavior?

Markus Pfeiffer profmakx.fmp at
Wed Sep 20 10:28:13 GMT 2000


I also experienced scans here in Germany (I´m a T-Online user) and it is 
quasi-normal that there are port scans every 5-10 Minutes or so (let me 
guess: script kiddies etc ) they Do not understand an code and quite 
often use silly programs and firewalls which are quite misconfgured. I 
nuked some of them who tried more than ten times (told my provider). I 
can even find out their names because they use too good configured Linux 
boxes :-).
But there are also Netbios scans from computers in the same net from 
people who are using M$ winbloed and didnt deactivate the sharing 
capability for their internet device. It could also be that there are 
samba boxes which do the same thing. That would explain the behaviour. 
There are quite a few of these boxes online its the same problem here, 
but I told my samba not to send or listen on any interface which is 
connected to the internet AND blocked them on my firewall. Then there are 
no worries I hope!!


>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 9/20/00, 4:54:50 AM, Christopher "R." Hertel <crh at> wrote 
regarding Scan or just silly behavior?:

> I'm confused.

> I have a home firewall (as does everyone with home connectivity, right?)
> and I've been seeing what appear to be scans against NetBIOS ports.  All
> of the scans are sourced from cable provider's networks (RoadRunner and
> @Home, in particular--I can't tell if is really @Home or not).
> The source changes, though, and each scan has the same pattern.

> Scans against NetBIOS-NS (UDP/137) always come in 3's and scans against
> NetBIOS-SSN (TCP/139) always in 4's.

> Now, I know that the normal number of name service retries is 3, so I
> expect to see three tries against UDP/137.  (If this is a scanner, then
> the author doesn't understand the code.  Why retry three times if you're
> scanning for vulnerabilities--your goal is to be fast, not meticulous.)

> I'm also aware that Microsoft's IP reverse name resolution tries an
> Adapter Status call before actually going to the DNS (go figure), so 
> is always the possibility that this is some sort of reverse lookup.  But
> why?  Hmmm...

> Also, there's the NetBIOS-SSN probes.  None of the lines listed below are
> >from the same source.  The number in the third column represents 
> Again, I'm seeing 4 retries per NetBIOS-SSN attempt.

> ### Traffic by destination address:
> []
>         we0      block     3    udp     netbios-ns <- netbios-ns
>         we0      block     3    udp     netbios-ns <- netbios-ns
>         we0      block     4    tcp    netbios-ssn <- <3570>
>         we0      block     4    tcp    netbios-ssn <- <2229>
>         we0      block     4    tcp    netbios-ssn <- <2338>
>         we0      block     4    tcp    netbios-ssn <- <2711>

> I'm going to try doing some sniffing to see what's in these.  I'm 
> I guess.  I thought that @Home was blocking the NetBIOS service ports but
> it seems not.  I'm on MediaOne (RoadRunner), and I really do recommend
> that people put a firewall.  My own is a 486DX2/66 running OpenBSD.  Cost
> me all of $30 for the parts (and that was over a year ago).

> Chris -)-----

> --
> Samba Team --         -)-----   Christopher R. Hertel
> jCIFS Team --   -)-----   ubiqx development, 
> ubiqx Team --     -)-----   Open Source utilities
> Amiga Team --     -)-----   crh at

More information about the samba-technical mailing list