From owner-freebsd-isp  Fri Mar  6 14:38:06 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA04582
          for freebsd-isp-outgoing; Fri, 6 Mar 1998 14:38:06 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from xenu.denverweb.net (xenu.denverweb.net [199.45.153.14])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04547
          for <freebsd-isp@FreeBSD.ORG>; Fri, 6 Mar 1998 14:37:54 -0800 (PST)
          (envelope-from bminazzi@w3page.com)
Received: from orion (blaine@sdn-ts-004coauroP02.dialsprint.net [206.133.160.69]) by xenu.denverweb.net (8.8.8/8.6.12) with SMTP id PAA09163; Fri, 6 Mar 1998 15:39:28 -0700 (MST)
Message-ID: <35007AFA.475951E5@w3page.com>
Date: Fri, 06 Mar 1998 15:38:50 -0700
From: Blaine Minazzi <bminazzi@w3page.com>
Organization: What, me organized?
X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.32 i486)
MIME-Version: 1.0
To: David Babler <root@Rigel.orionsys.com>
CC: freebsd-isp@FreeBSD.ORG
Subject: Re: Port 137 access - somebody monkeying around?
References: <Pine.BSF.3.96.980306132649.6827G-100000@Rigel.orionsys.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

David Babler wrote:
> 
> Perhaps this might belong to FreeBSD-security, but what the hey - it
> involves ISPs too...
> 
> My ipfw rules deny and log all services that I don't support here, and
> I've noticed that I will often see a string of access attempts on my port
> 137 (NetBIOS Name Service) from foreign addresses (not once from any of my
> dialup customers). I was under the impression that these contacts might be
> Bad Guys trying to take advantage of some known exploit, thinking I was
> running NT or something. Is that a valid assumption, or is there some
> legitimate reason why foreign IPs should be trying to connect to that
> port? I complained once to a system one of whose dialup customers
> continued a port 137 probe on and off for an hour. When the user was
> contacted, he claimed he had NO IDEA what we were talking about, that he
> might have just "tried something" with a browser.

Bullshit. Sounds like He was trying to break into an NT box, or attack
through SAMBA. 

> Am I being too paranoid?

You can NEVER be too paranoid, esp. on the net.

Next time it happens, contact the ISP, and tell them that the user is
trying to hack into your server.

Good luck,

Blaine

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message