From owner-freebsd-isp Fri Mar 6 14:13:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01734 for freebsd-isp-outgoing; Fri, 6 Mar 1998 14:13:08 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01725; Fri, 6 Mar 1998 14:13:03 -0800 (PST) (envelope-from jmb) From: "Jonathan M. Bresler" Message-Id: <199803062213.OAA01725@hub.freebsd.org> Subject: Re: Port 137 access - somebody monkeying around? In-Reply-To: from David Babler at "Mar 6, 98 01:35:26 pm" To: root@Rigel.orionsys.com (David Babler) Date: Fri, 6 Mar 1998 14:13:03 -0800 (PST) Cc: freebsd-isp@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Babler wrote: > > Perhaps this might belong to FreeBSD-security, but what the hey - it > involves ISPs too... > > My ipfw rules deny and log all services that I don't support here, and > I've noticed that I will often see a string of access attempts on my port > 137 (NetBIOS Name Service) from foreign addresses (not once from any of my > dialup customers). I was under the impression that these contacts might be > Bad Guys trying to take advantage of some known exploit, thinking I was > running NT or something. Is that a valid assumption, or is there some microsoft machines trying to assimilate your site! beware! seriously, it is hard to tell about intent with analyzing the packets that you see. there is/was one or more attacks you can mount against microsoft boxes by hitting port 137. microsoft boxes spew stuff to port 137 and 138 constantly. we seee these packets on both sides of our firewall. not too long ago, a university sysadmin was trying to use jetadmin (from hp) to admin our printers from across the internet. ;) jmb > legitimate reason why foreign IPs should be trying to connect to that > port? I complained once to a system one of whose dialup customers > continued a port 137 probe on and off for an hour. When the user was > contacted, he claimed he had NO IDEA what we were talking about, that he > might have just "tried something" with a browser. > > Am I being too paranoid? > > -Dave > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message