I just ran a 2-hour-plus pkt capture on my public interface, catching
everything except ARP (ARP is 80 to 90% of all ethernet traffic
on my rr connection). There was a single attempt at port 137
during this time, from 67.89.57.118. Normally I see 15 to 20
different unID IPs in a day, well over half are trying 137. However it
is just because these fellows think RR will be all Windows
machines on THIS end, and are easy pickings. It is not a RR-centric
issue; one never (or, should never) see any IP traffic to/from anyone
else on his local HFC. I never do, just see unACK ARPs from the local
gateways to various machines. BTW There are 6 subnets of /24 on my
branch. Not too bad; last year there 13.
Bottom line: I do not see any evidence of the 137 udp storm
referred to by the original poster. What type address are you on, Jeff?
Bob
----- Original Message -----
From: "jeff" <jdavis70@tampabay.rr.com>
To: <slug@nks.net>
Sent: Thursday, December 12, 2002 17:19
Subject: Re: [SLUG] scans
> Matt Miller wrote:
> > On Thu, 2002-12-12 at 15:32, jeff wrote:
> >
> >> Has anyone else noticed an increase in port scans in the last few
> >>hours? I am getting around 40 hits an hour, almost all of them on 137.
> >>Is there a new worm making the rounds or what?
> >
> >
> > It's just the netbios name-service -- pretty normal on a public "LAN"
> > like RR. Could be just a result of the average joe without any type of
> > firewall protecting their Windows boxes.
>
> I was just curious because I usually only get a few hits per day, then
> all of a sudden I started getting hundreds for no apparent reason. I did
> WHOIS lookups on some of them and most of the machines traced back to
> Asia and Spain, with a few in South Africa. The wide geographic spread
> seemed to be the activity of a worm.
>
> Jeff
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:12:03 EDT