Date: Fri, 01 Dec 2000 14:22:39 -0500 From: Bob Johnson <bob@eng.ufl.edu> To: melon@orangenetwork.net Cc: freebsd-security@freebsd.org Subject: Re[2]: 137/udp Message-ID: <3A27FA7F.D2604732@eng.ufl.edu>
next in thread | raw e-mail | index | archive | help
> Date: Fri, 01 Dec 2000 21:50:17 +0900 > From: Melon <melon@orangenetwork.net> > Subject: Re[2]: 137/udp > > Hello, > > I'm not familiar with NetBIOS behavior, but I know 137/udp (source) -> > 53/udp (destination) is used for name resolving. > > All of Windows and Windows NT clients here are not installed Microsoft > network sharing service, but I have Samba server for these Windows > clients as the file server. > > I expected any of 137/udp packets incoming from outside of my LAN are > illegal before. > > I wanted to know... > > * How 137/udp packet is sent for my network from Internet? > * All of 137/udp packets are intended for portscan or explicit attack? Port 137/udp packets are not necessarily hostile. See http://www.robertgraham.com/pubs/firewall-seen.html#10 for a discussion of this. > > I have missed to tell this... > When 137/udp was sent here (the PC I'm writing this e-mail; Windows 98 SE), > I was running Napster just for uploading a file. > I'm logging an IP address of all 6699/tcp connections for security > reason. Since I was doing tail -f [logname_for_my_firewall], I found > 6699/tcp and 137/udp were coming from the same IP address. I asked > him/her "Did you do something for my computer?" using Napster, I > expected he or she would ignore my stupid question if he/she really or > explicitly attacked me. However, the person who were connecting from the > IP address was replied me and not seemed cracker. If you are connected to a Napster server, you will see a lot of miscellaneous traffic as people search for song titles, etc. This is probably part of that. > I have talked with so much entry-level pc users, so I asked him/her > detailed PC related question. I can't believe he/she have attacked me. > > Now, I got problem. I expected *all* 137/udp from the outside are only > intended > for cracking. So I would like to know the 2 points listed above. > > - - Melon > -- Bob Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A27FA7F.D2604732>