Scan or just silly behavior?
Markus Pfeiffer
profmakx.fmp at gmx.de
Wed Sep 20 10:28:13 GMT 2000
Hi!
I also experienced scans here in Germany (I´m a T-Online user) and it is
quasi-normal that there are port scans every 5-10 Minutes or so (let me
guess: script kiddies etc ) they Do not understand an code and quite
often use silly programs and firewalls which are quite misconfgured. I
nuked some of them who tried more than ten times (told my provider). I
can even find out their names because they use too good configured Linux
boxes :-).
But there are also Netbios scans from computers in the same net from
people who are using M$ winbloed and didnt deactivate the sharing
capability for their internet device. It could also be that there are
samba boxes which do the same thing. That would explain the behaviour.
There are quite a few of these boxes online its the same problem here,
but I told my samba not to send or listen on any interface which is
connected to the internet AND blocked them on my firewall. Then there are
no worries I hope!!
Cheers
Markus
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 9/20/00, 4:54:50 AM, Christopher "R." Hertel <crh at ubiqx.mn.org> wrote
regarding Scan or just silly behavior?:
> I'm confused.
> I have a home firewall (as does everyone with home connectivity, right?)
> and I've been seeing what appear to be scans against NetBIOS ports. All
> of the scans are sourced from cable provider's networks (RoadRunner and
> @Home, in particular--I can't tell if shaw.ca is really @Home or not).
> The source changes, though, and each scan has the same pattern.
> Scans against NetBIOS-NS (UDP/137) always come in 3's and scans against
> NetBIOS-SSN (TCP/139) always in 4's.
> Now, I know that the normal number of name service retries is 3, so I
> expect to see three tries against UDP/137. (If this is a scanner, then
> the author doesn't understand the code. Why retry three times if you're
> scanning for vulnerabilities--your goal is to be fast, not meticulous.)
> I'm also aware that Microsoft's IP reverse name resolution tries an
> Adapter Status call before actually going to the DNS (go figure), so
there
> is always the possibility that this is some sort of reverse lookup. But
> why? Hmmm...
> Also, there's the NetBIOS-SSN probes. None of the lines listed below are
> >from the same source. The number in the third column represents
retries.
> Again, I'm seeing 4 retries per NetBIOS-SSN attempt.
> ### Traffic by destination address:
> ubiqx.mn.org [192.168.100.2]
> we0 block 3 udp netbios-ns <- netbios-ns
> we0 block 3 udp netbios-ns <- netbios-ns
> we0 block 4 tcp netbios-ssn <- <3570>
> we0 block 4 tcp netbios-ssn <- <2229>
> we0 block 4 tcp netbios-ssn <- <2338>
> we0 block 4 tcp netbios-ssn <- <2711>
> I'm going to try doing some sniffing to see what's in these. I'm
curious,
> I guess. I thought that @Home was blocking the NetBIOS service ports but
> it seems not. I'm on MediaOne (RoadRunner), and I really do recommend
> that people put a firewall. My own is a 486DX2/66 running OpenBSD. Cost
> me all of $30 for the parts (and that was over a year ago).
> Chris -)-----
> --
> Samba Team -- http://samba.org/ -)----- Christopher R. Hertel
> jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development,
uninq.
> ubiqx Team -- http://www.ubiqx.org/ -)----- Open Source utilities
> Amiga Team -- http://www.amiga.com/ -)----- crh at ubiqx.mn.org
More information about the samba-technical
mailing list