Heavy NetBIOS scanning - new tool?
jeff01 at email.unc.edu
Mon Jun 17 15:24:58 GMT 2002
We've recently seen a lot of heavy NetBIOS scanning It's interesting
what they're doing, and I'm not sure I understand it. Check it out:
The protocol is SAMR (related to the SAM password file?) or possibly the
SMB PIPE protocol. Here is a sample of the requests:
It looks like account enumeration, though I have a constant netstat
process running on the machine that I got the traces from and I see no
one connected (even via NULL session). The scan begins with a probing
of IPC$, ADMIN$, C$, and D$. I think we're seeing a new tool, possibly
related to the Fluxay scanner which hit us so hard with RemoteNC.
Anyone else seen something similar? Perhaps this is something that is
trying to remotely crack passwords, as I did notice a local userid
running through the data field in some of the packets.
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the unisog