Getting SLAMMED with TCP 137 probes....new nastyware out there?
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Getting SLAMMED with TCP 137 probes....new nastyware out there?

  1. #1

    Getting SLAMMED with TCP 137 probes....new nastyware out there?

    hey

    I'm presently getting inundated with incoming NetBIOS probles from all over the place.....ois there someting going on (as in a worm)?

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    It could be W32.Bird.A@MM. It is new and it will try and spread via network shares.


    Cheers:
    DjM

  3. #3
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    I just checked my IDS logs and I am not seeing anything unusual yet....
    Work... Some days it's just not worth chewing through the restraints...

  4. #4
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    When BugBear first was exposed, my firewall at my house was getting slammed with 137's as well - I did some checking, and I concluded that the probes were more than likely BugBear infected machines...
    - Maverick

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Agree with Maverick. A good place to look if you are getting inundated with traffic is :

    www.incidents.org

    They have a distrubted IDS type system setup where people supply firewalls and ids logs to report who is scanning/doing bad things. You can at least see if other people are seeing the type of traffic you are seeing, and what, if they know, is causing it...

    You should see one of the first titles there is increased 137 scans...probably your culprit.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    343

    Red face Probes.....

    Hi all;
    There is this real neat program that will do just what you are seening...
    It will run on all of the M$ os's

    http://www.rawlogic.com/

    It is a real good way to test your own shares
    as well....

    I guess Neat is a little heavy for a tool that will scan
    both class "c"s and "b"s with no extra input
    and can be used to break into a computer.....

    Sorry...long day...been working outside installing some customer equipment
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    ever since i got ADSL and set up a small four-computer home lan, my router has been catching scans from computers...destined for ports 137-139. At first I reported them to my ISP...but I never got a response so I assumed they did nothing so I just ignore it now.

    As long as your firewall is catching...and stopping (duhh) it, then I wouldn't worry about it, but that's just me.
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    I'm been getting the same but on 137 but via UDP, at the rate of one a minuate, and like you said they are from all over the place
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Are you sure they're not replies to packets your Windoze machine sends out?

    Does your windoze box send DNS requests originating from 137?

    Or is your box sending its own NETBIOS-NS requests and recieving responses from them?

    Do you have the contents of a few packets you could share with us?

  10. #10
    Member
    Join Date
    Oct 2002
    Posts
    34

    Post

    Personally, my firewall is set up to block certain ports, and 137 - 139 is one of them, I usually block TCP and UDP if posible. You might wanna do same, that way you wont have to worry about it. If my memory serves me right 139 is like a finger...info look up. All you IRC people might know what finger cmd is.
    [gloworange]I pLaY mY eNeMyS lIkE a ChEsS.[/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides