[Dshield] Causes for Port 137 Surge?

David Kennedy CISSP david.kennedy at acm.org
Mon Jul 9 12:00:00 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----

Any clues yet for the surge in Port 137 activity since 6/29?  

Possibilities that come to mind:
Qaz, Bymer or some other know/old 137-aware virus/worm got loose in a
large organization which, in turn, flooded others.

Hybris plug-in we don't understand (yet).

Recent addition of large enterprises who are just reporting massive
internal NetBIOS name lookups?  

One of the IDS's changed detection of 137? (I block it at the router
so I have no way of knowing whether it's coming my way or not.)

Something W32.Leave-like?  

Something completely different?



Would it be possible to filter 137 reports and drop attackers on the
same network and report only those from other networks?  If that's
possible, I'm not sure how to deal with 1918 addresses, I'd be
inclined to drop those as well as probably coming from a
local-to-the-reporter host and thus possibly innocuous.

I understand why you decided to handle 137 separately, but the
reports make me suspect something irregular is up.  

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: When was the last time you backed-up your hard drive?

iQCVAwUBO0lmOPGfiIQsciJtAQGrBwP/dpkYDWH7gnJFPYESQP4rA21Rt7Q2dWHV
4K02/MAr3tT88Zd+hKiio5XYCQ3Xxyrh55GeM/Rtdo6tN//E+ZeHicE7MOUGq2wz
21oG76N60oSBBosMbrxz0EzOH2yO/vE0lgWcsbzRqNJwVFJieMGchHpJijLrpRXg
BkWvObAbilM=
=QoQX
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.




More information about the list mailing list