Scan or just silly behavior?

Christopher R. Hertel crh at nts.umn.edu
Wed Sep 20 15:08:44 GMT 2000 

[Charset ISO-8859-1 unsupported, filtering to ASCII...]
> 
> Hi!

Hello!

> I also experienced scans here in Germany (I_m a T-Online user) and it is 
> quasi-normal that there are port scans every 5-10 Minutes or so (let me 
> guess: script kiddies etc ) they Do not understand an code and quite 
> often use silly programs and firewalls which are quite misconfgured. I 
> nuked some of them who tried more than ten times (told my provider). I 
> can even find out their names because they use too good configured Linux 
> boxes :-).

My base assumption is that this is some kind of script-kiddie trick.  The
NetBIOS-NS probes are more curious to me as I know that there are some
cases in which a Windows box will send out such queries as part of normal
operation.  I don't know if this is what's happening and, if so, why some
odd Windows box somewhere would have my IP address and need to look it up.
More likely, as you say, it's a dumb script.

> But there are also Netbios scans from computers in the same net from 
> people who are using M$ winbloed and didnt deactivate the sharing 
> capability for their internet device. It could also be that there are 
> samba boxes which do the same thing.  That would explain the behaviour.

True, if the messages were from addresses in the same broadcast domain,
but the probes are coming from outside my area and from service providers
other than my own.  Also, that doesn't explain the NetBIOS-SSN packets, 
which are not broadcast.

> There are quite a few of these boxes online its the same problem here, 
> but I told my samba not to send or listen on any interface which is 
> connected to the internet AND blocked them on my firewall. Then there are 
> no worries I hope!!

Sounds like a good solution.  I'm dismayed by the Linux packages that 
come with Samba turned on by default.  Then again, many PC vendors load 
Windows and turn file sharing on by default.  This is how we noticed the 
bug in W/95 that causes blue screen of death if two boxes on the same 
wire have the same name.

Chris -)-----

-- 
Christopher R. Hertel -)-----                   University of Minnesota
crh at nts.umn.edu              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your hands...you choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz

More information about the samba-technical mailing list