From owner-freebsd-security Fri Dec 1 11:23: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by hub.freebsd.org (Postfix) with ESMTP id 4B1DC37B400 for ; Fri, 1 Dec 2000 11:23:02 -0800 (PST) Received: from eng.ufl.edu (scanner.engnet.ufl.edu [128.227.152.221]) by wasp.eng.ufl.edu (8.9.3/8.9.3) with ESMTP id OAA26271; Fri, 1 Dec 2000 14:22:42 -0500 (EST) Message-ID: <3A27FA7F.D2604732@eng.ufl.edu> Date: Fri, 01 Dec 2000 14:22:39 -0500 From: Bob Johnson Organization: University of Florida X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: melon@orangenetwork.net Cc: freebsd-security@freebsd.org Subject: Re[2]: 137/udp Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Fri, 01 Dec 2000 21:50:17 +0900 > From: Melon > Subject: Re[2]: 137/udp > > Hello, > > I'm not familiar with NetBIOS behavior, but I know 137/udp (source) -> > 53/udp (destination) is used for name resolving. > > All of Windows and Windows NT clients here are not installed Microsoft > network sharing service, but I have Samba server for these Windows > clients as the file server. > > I expected any of 137/udp packets incoming from outside of my LAN are > illegal before. > > I wanted to know... > > * How 137/udp packet is sent for my network from Internet? > * All of 137/udp packets are intended for portscan or explicit attack? Port 137/udp packets are not necessarily hostile. See http://www.robertgraham.com/pubs/firewall-seen.html#10 for a discussion of this. > > I have missed to tell this... > When 137/udp was sent here (the PC I'm writing this e-mail; Windows 98 SE), > I was running Napster just for uploading a file. > I'm logging an IP address of all 6699/tcp connections for security > reason. Since I was doing tail -f [logname_for_my_firewall], I found > 6699/tcp and 137/udp were coming from the same IP address. I asked > him/her "Did you do something for my computer?" using Napster, I > expected he or she would ignore my stupid question if he/she really or > explicitly attacked me. However, the person who were connecting from the > IP address was replied me and not seemed cracker. If you are connected to a Napster server, you will see a lot of miscellaneous traffic as people search for song titles, etc. This is probably part of that. > I have talked with so much entry-level pc users, so I asked him/her > detailed PC related question. I can't believe he/she have attacked me. > > Now, I got problem. I expected *all* 137/udp from the outside are only > intended > for cracking. So I would like to know the 2 points listed above. > > - - Melon > -- Bob Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message