Date: Thu, 22 Feb 2001 10:44:07 -0500 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: <cjclark@reflexnet.net>, "Michael Richards" <michael@fastmail.ca> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Odd firewall messages Message-ID: <005901c09ce6$4a895820$1e9e6389@137.99.156.23> References: <3A94BF58.000023.66147@frodo.searchcanada.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
NetBIOS "scanning" is done many times by machines infected with the "Bymer" virus. Check your machines. "Bymer" looks for open (writable) NetBIOS shares to a root C:\ or a writable c:\windows (which is a stupid thing to do, but people sometimes forget to password or disable "full access") and that is its route of propagation. On our network here we look for a machine doing massive amounts of netbios udp sends, and suspect Bymer. ----- Original Message ----- From: "Michael Richards" <michael@fastmail.ca> To: <cjclark@reflexnet.net> Cc: <freebsd-security@FreeBSD.ORG> Sent: Thursday, February 22, 2001 2:27 AM Subject: Re: Odd firewall messages > > >> Anyone have any wisdom when it comes to decoding what I'm seeing > >> here? > > > > That is the NetBIOS garbage that WinXX machines chatter with. You > > redacted the destination IPs, were they broadcast addresses? Those > > are NetBIOS name resolution packets. They could be hostile, but by > > far the most probable scenario is someone with a misconfigured > > network is leaking them. You would not happen to be living off of > > a public broadcast domain? > > These were not broadcast addresses. In fact, some of the IPs were not > even used. I assumed it was some sort of scanning but was not able to > figure out how they were getting answers. It seems odd that providers > would not filter outgoing packets if they are coming from IPs that > don't belong to the ISP. We are hooked up directly to the core router > at our service provider. No public or broadcast happening with us. > > The 137 seems to point to NetBIOS but there are others such as: > 21/02/2001 10:54:22.184764 xl1 @0:6 b 10.3.0.146,1957 -> x.x.x.x,80 > PR tcp len 20 11264 -S IN > That are hitting the webserver of our busiest server. > > I guess it's probably nothing to worry about. > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005901c09ce6$4a895820$1e9e6389>