From owner-freebsd-security Thu Feb 22 7:43:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 49DC837B4EC for ; Thu, 22 Feb 2001 07:43:15 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 13389 invoked by alias); 22 Feb 2001 15:41:52 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 22 Feb 2001 15:41:52 -0000 Message-ID: <005901c09ce6$4a895820$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: , "Michael Richards" Cc: References: <3A94BF58.000023.66147@frodo.searchcanada.ca> Subject: Re: Odd firewall messages Date: Thu, 22 Feb 2001 10:44:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org NetBIOS "scanning" is done many times by machines infected with the "Bymer" virus. Check your machines. "Bymer" looks for open (writable) NetBIOS shares to a root C:\ or a writable c:\windows (which is a stupid thing to do, but people sometimes forget to password or disable "full access") and that is its route of propagation. On our network here we look for a machine doing massive amounts of netbios udp sends, and suspect Bymer. ----- Original Message ----- From: "Michael Richards" To: Cc: Sent: Thursday, February 22, 2001 2:27 AM Subject: Re: Odd firewall messages > > >> Anyone have any wisdom when it comes to decoding what I'm seeing > >> here? > > > > That is the NetBIOS garbage that WinXX machines chatter with. You > > redacted the destination IPs, were they broadcast addresses? Those > > are NetBIOS name resolution packets. They could be hostile, but by > > far the most probable scenario is someone with a misconfigured > > network is leaking them. You would not happen to be living off of > > a public broadcast domain? > > These were not broadcast addresses. In fact, some of the IPs were not > even used. I assumed it was some sort of scanning but was not able to > figure out how they were getting answers. It seems odd that providers > would not filter outgoing packets if they are coming from IPs that > don't belong to the ISP. We are hooked up directly to the core router > at our service provider. No public or broadcast happening with us. > > The 137 seems to point to NetBIOS but there are others such as: > 21/02/2001 10:54:22.184764 xl1 @0:6 b 10.3.0.146,1957 -> x.x.x.x,80 > PR tcp len 20 11264 -S IN > That are hitting the webserver of our busiest server. > > I guess it's probably nothing to worry about. > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message