From owner-freebsd-isp Fri Mar 6 16:06:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA15836 for freebsd-isp-outgoing; Fri, 6 Mar 1998 16:06:15 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from m4.stox.sa.enteract.com (dyn-max3-55.chicago.il.ameritech.net [206.141.209.55]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA15818 for ; Fri, 6 Mar 1998 16:06:02 -0800 (PST) (envelope-from ken@stox.sa.enteract.com) Received: from localhost (localhost.stox.sa.enteract.com [127.0.0.1]) by m4.stox.sa.enteract.com (8.8.8/8.6.12) with SMTP id SAA06352; Fri, 6 Mar 1998 18:05:45 -0600 (CST) Date: Fri, 6 Mar 1998 18:05:44 -0600 (CST) From: "Kenneth P. Stox" To: David Babler cc: freebsd-isp@FreeBSD.ORG Subject: Re: Port 137 access - somebody monkeying around? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sounds like someone may be probing for targets of a teardrop attack. As you may know, many sites (UC Berkeley, etc. ) were attcked this week. The attack did seem to target nets which had NT/Lose95 machines. I would definately keep on eye on it. On Fri, 6 Mar 1998, David Babler wrote: > > Perhaps this might belong to FreeBSD-security, but what the hey - it > involves ISPs too... > > My ipfw rules deny and log all services that I don't support here, and > I've noticed that I will often see a string of access attempts on my port > 137 (NetBIOS Name Service) from foreign addresses (not once from any of my > dialup customers). I was under the impression that these contacts might be > Bad Guys trying to take advantage of some known exploit, thinking I was > running NT or something. Is that a valid assumption, or is there some > legitimate reason why foreign IPs should be trying to connect to that > port? I complained once to a system one of whose dialup customers > continued a port 137 probe on and off for an hour. When the user was > contacted, he claimed he had NO IDEA what we were talking about, that he > might have just "tried something" with a browser. > > Am I being too paranoid? > > -Dave > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message