[Dshield] udp/137 (netbios) scans

Patrick Andry pandry at wolverinefreight.ca
Tue Oct 1 14:48:58 GMT 2002


Could this be due to the BugBear worm attempting to copy to network 
shares?  It seems a bit coincedental not to be,  but I'm not sure if it 
copies across networks or not.


jack_mccarthy8 at hushmail.com wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>These are logs from an NT4 box we have sitting outside our firewall running ZAPro v3.1.395.
>
>- -Jack
>
>Date/Time			SrcIp:SrcPort		DstIp:DstPort
>
>09/27/02 11:30:06 -4:00 GMT	200.34.175.35:137	x.x.x.208:137	UDP
>09/27/02 11:50:04 -4:00 GMT	211.183.176.253:1024	x.x.x.208:137	UDP
>09/27/02 11:50:04 -4:00 GMT	211.183.176.253:1024	x.x.x.208:137	UDP
>09/27/02 11:50:08 -4:00 GMT	211.183.176.253:1044	x.x.x.208:137	UDP
>09/27/02 13:50:16 -4:00 GMT	204.80.157.186:137	x.x.x.208:137	UDP
>09/27/02 14:34:30 -4:00 GMT	64.91.51.227:15888	x.x.x.208:135	UDP
>09/27/02 14:34:38 -4:00 GMT	64.91.51.227:15988	x.x.x.208:135	UDP
>09/27/02 14:34:46 -4:00 GMT	64.91.51.227:16107	x.x.x.208:135	UDP
>09/27/02 14:35:02 -4:00 GMT	64.91.51.227:16232	x.x.x.208:135	UDP
>09/27/02 17:23:20 -4:00 GMT	63.97.162.172:137	x.x.x.208:137	UDP
>09/27/02 20:33:14 -4:00 GMT	207.19.80.48:137	x.x.x.208:137	UDP
>09/27/02 21:49:50 -4:00 GMT	209.173.10.100:149	x.x.x.208:137	UDP
>09/27/02 21:56:26 -4:00 GMT	208.158.43.114:137	x.x.x.208:137	UDP
>09/27/02 22:42:58 -4:00 GMT	4.61.235.184:1025	x.x.x.208:137	UDP
>09/27/02 23:02:58 -4:00 GMT	166.109.10.253:137	x.x.x.208:137	UDP
>
>09/28/02 00:09:16 -4:00 GMT	167.184.0.117:137	x.x.x.208:137	UDP
>09/28/02 01:11:34 -4:00 GMT	168.226.30.118:1025	x.x.x.208:137	UDP
>09/28/02 05:46:20 -4:00 GMT	211.111.64.130:1025	x.x.x.208:137	UDP
>09/28/02 07:39:22 -4:00 GMT	80.235.93.6:1026	x.x.x.208:137	UDP
>09/28/02 08:10:02 -4:00 GMT	218.152.43.88:1036	x.x.x.208:137	UDP
>09/28/02 09:34:32 -4:00 GMT	80.130.12.170:1025	x.x.x.208:137	UDP
>09/28/02 10:08:28 -4:00 GMT	200.82.61.201:1028	x.x.x.208:137	UDP
>09/28/02 11:34:00 -4:00 GMT	62.36.137.110:1025	x.x.x.208:137	UDP
>09/28/02 12:11:12 -4:00 GMT	211.170.145.19:1025	x.x.x.208:137	UDP
>09/28/02 12:16:32 -4:00 GMT	80.25.238.30:1026	x.x.x.208:137	UDP
>09/28/02 12:46:32 -4:00 GMT	200.34.175.35:137	x.x.x.208:137	UDP
>09/28/02 14:01:50 -4:00 GMT	204.80.157.186:137	x.x.x.208:137	UDP
>09/28/02 16:53:12 -4:00 GMT	203.198.147.185:137	x.x.x.208:137	UDP
>09/28/02 17:38:20 -4:00 GMT	195.190.181.188:1025	x.x.x.208:137	UDP
>09/28/02 18:01:04 -4:00 GMT	81.48.47.52:137		x.x.x.208:137	UDP
>09/28/02 20:56:14 -4:00 GMT	207.19.80.48:137	x.x.x.208:137	UDP
>09/28/02 22:13:14 -4:00 GMT	209.173.10.100:202	x.x.x.208:137	UDP
>09/28/02 22:18:32 -4:00 GMT	208.158.43.114:137	x.x.x.208:137	UDP
>09/28/02 23:52:38 -4:00 GMT	218.108.197.52:1025	x.x.x.208:137	UDP
>
>09/29/02 00:27:02 -4:00 GMT	61.230.0.111:1025	x.x.x.208:137	UDP
>09/29/02 01:55:32 -4:00 GMT	217.165.70.206:1037	x.x.x.208:137	UDP
>09/29/02 02:03:46 -4:00 GMT	203.198.147.185:137	x.x.x.208:137	UDP
>09/29/02 04:17:12 -4:00 GMT	64.105.31.46:20637	x.x.x.208:137	UDP
>09/29/02 08:17:50 -4:00 GMT	217.162.170.233:1032	x.x.x.208:137	UDP
>09/29/02 08:22:16 -4:00 GMT	24.164.82.202:1025	x.x.x.208:137	UDP
>09/29/02 09:12:22 -4:00 GMT	63.97.162.172:137	x.x.x.208:137	UDP
>09/29/02 09:16:54 -4:00 GMT	202.53.85.132:1025	x.x.x.208:137	UDP
>09/29/02 11:36:44 -4:00 GMT	216.223.202.85:2127	x.x.x.208:137	UDP
>09/29/02 12:30:24 -4:00 GMT	211.212.64.247:1025	x.x.x.208:137	UDP
>09/29/02 12:44:30 -4:00 GMT	207.190.206.117:326	x.x.x.208:137	UDP
>09/29/02 12:53:00 -4:00 GMT	167.184.0.168:137	x.x.x.208:137	UDP
>09/29/02 14:04:34 -4:00 GMT	204.80.157.186:137	x.x.x.208:137	UDP
>09/29/02 14:57:36 -4:00 GMT	217.80.124.146:1027	x.x.x.208:137	UDP
>09/29/02 15:55:06 -4:00 GMT	200.34.175.35:137	x.x.x.208:137	UDP
>09/29/02 16:00:12 -4:00 GMT	194.65.176.222:35279	x.x.x.208:137	UDP
>09/29/02 16:20:58 -4:00 GMT	65.150.41.138:1025	x.x.x.208:137	UDP
>09/29/02 16:57:52 -4:00 GMT	61.40.148.76:1025	x.x.x.208:137	UDP
>09/29/02 17:45:44 -4:00 GMT	211.73.150.212:1025	x.x.x.208:137	UDP
>09/29/02 18:05:34 -4:00 GMT	210.17.138.147:17146	x.x.x.208:137	UDP
>09/29/02 19:23:44 -4:00 GMT	80.25.231.30:1025	x.x.x.208:137	UDP
>09/29/02 19:36:44 -4:00 GMT	67.81.94.45:1025	x.x.x.208:137	UDP
>09/29/02 21:23:34 -4:00 GMT	207.19.80.48:137	x.x.x.208:137	UDP
>09/29/02 21:53:58 -4:00 GMT	65.64.154.48:1025	x.x.x.208:137	UDP
>09/29/02 22:33:14 -4:00 GMT	209.173.10.100:256	x.x.x.208:137	UDP
>09/29/02 22:38:18 -4:00 GMT	208.158.43.114:137	x.x.x.208:137	UDP
>
>09/30/02 01:41:58 -4:00 GMT	61.223.221.187:1032	x.x.x.208:137	UDP
>09/30/02 02:40:46 -4:00 GMT	61.117.81.69:1071	x.x.x.208:137	UDP
>09/30/02 02:47:40 -4:00 GMT	61.112.98.65:1025	x.x.x.208:137	UDP
>09/30/02 03:45:38 -4:00 GMT	65.174.176.123:13716	x.x.x.208:137	UDP
>09/30/02 04:19:50 -4:00 GMT	206.75.35.213:1026	x.x.x.208:137	UDP
>09/30/02 05:02:38 -4:00 GMT	61.217.74.151:1025	x.x.x.208:137	UDP
>09/30/02 05:51:26 -4:00 GMT	152.92.136.44:1025	x.x.x.208:137	UDP
>09/30/02 08:27:26 -4:00 GMT	166.109.10.253:137	x.x.x.208:137	UDP
>09/30/02 09:05:16 -4:00 GMT	212.49.95.66:1026	x.x.x.208:137	UDP
>09/30/02 10:10:10 -4:00 GMT	200.128.23.179:1033	x.x.x.208:137	UDP
>09/30/02 10:19:06 -4:00 GMT	61.214.118.67:1026	x.x.x.208:137	UDP
>09/30/02 10:45:54 -4:00 GMT	216.214.203.101:1026	x.x.x.208:137	UDP
>09/30/02 12:28:04 -4:00 GMT	80.116.151.90:1029	x.x.x.208:137	UDP
>09/30/02 13:32:40 -4:00 GMT	217.231.249.191:1027	x.x.x.208:137	UDP
>09/30/02 13:39:34 -4:00 GMT	204.60.238.78:1025	x.x.x.208:137	UDP
>09/30/02 14:07:12 -4:00 GMT	204.80.157.186:137	x.x.x.208:137	UDP
>09/30/02 14:17:30 -4:00 GMT	200.43.59.90:1026	x.x.x.208:137	UDP
>09/30/02 14:29:54 -4:00 GMT	170.92.30.252:137	x.x.x.208:137	UDP
>09/30/02 14:58:46 -4:00 GMT	24.232.192.60:1024	x.x.x.208:137	UDP
>09/30/02 15:34:36 -4:00 GMT	200.164.233.165:1025	x.x.x.208:137	UDP
>09/30/02 15:36:44 -4:00 GMT	216.237.219.98:61964	x.x.x.208:137	UDP
>09/30/02 15:36:44 -4:00 GMT	216.237.219.98:59916	x.x.x.208:137	UDP
>09/30/02 15:51:54 -4:00 GMT	167.184.0.168:137	x.x.x.208:137	UDP
>09/30/02 17:18:42 -4:00 GMT	218.43.4.47:1025	x.x.x.208:137	UDP
>09/30/02 17:37:52 -4:00 GMT	195.132.82.114:1025	x.x.x.208:137	UDP
>09/30/02 18:16:50 -4:00 GMT	207.248.178.4:242	x.x.x.208:137	UDP
>09/30/02 19:42:06 -4:00 GMT	209.179.149.235:1025	x.x.x.208:137	UDP
>09/30/02 19:43:38 -4:00 GMT	200.168.177.138:1028	x.x.x.208:137	UDP
>09/30/02 20:23:26 -4:00 GMT	209.74.24.57:1027	x.x.x.208:137	UDP
>09/30/02 20:23:56 -4:00 GMT	211.216.67.161:1027	x.x.x.208:137	UDP
>09/30/02 21:08:30 -4:00 GMT	128.143.147.36:1026	x.x.x.208:137	UDP
>09/30/02 21:22:26 -4:00 GMT	211.46.152.52:1026	x.x.x.208:137	UDP
>09/30/02 21:40:10 -4:00 GMT	61.33.39.4:1040		x.x.x.208:137	UDP
>09/30/02 21:47:44 -4:00 GMT	207.19.80.48:137	x.x.x.208:137	UDP
>09/30/02 21:49:06 -4:00 GMT	64.105.119.58:1025	x.x.x.208:137	UDP
>09/30/02 22:18:30 -4:00 GMT	211.228.58.81:1029	x.x.x.208:137	UDP
>09/30/02 22:49:56 -4:00 GMT	206.170.210.38:1025	x.x.x.208:137	UDP
>09/30/02 22:54:00 -4:00 GMT	209.173.10.100:353	x.x.x.208:137	UDP
>09/30/02 22:54:52 -4:00 GMT	63.97.162.172:137	x.x.x.208:137	UDP
>09/30/02 22:55:32 -4:00 GMT	208.158.43.114:137	x.x.x.208:137	UDP
>
>10/1/2002 00:13:26 -4:00 GMT	211.230.18.60:1026	x.x.x.208:137	UDP
>10/1/2002 00:40:40 -4:00 GMT	203.49.91.187:1025	x.x.x.208:137	UDP
>10/1/2002 00:48:54 -4:00 GMT	211.217.228.13:1024	x.x.x.208:137	UDP
>10/1/2002 01:07:10 -4:00 GMT	140.112.54.15:1027	x.x.x.208:137	UDP
>10/1/2002 01:58:54 -4:00 GMT	24.83.24.248:1067	x.x.x.208:137	UDP
>10/1/2002 02:39:54 -4:00 GMT	212.185.192.231:45475	x.x.x.208:137	UDP
>10/1/2002 03:06:58 -4:00 GMT	61.74.130.231:1025	x.x.x.208:137	UDP
>10/1/2002 04:09:38 -4:00 GMT	217.2.224.226:1026	x.x.x.208:137	UDP
>10/1/2002 04:50:10 -4:00 GMT	195.251.134.39:1026	x.x.x.208:137	UDP
>10/1/2002 05:22:16 -4:00 GMT	64.1.174.248:1027	x.x.x.208:137	UDP
>10/1/2002 05:36:16 -4:00 GMT	213.26.35.91:1032	x.x.x.208:137	UDP
>10/1/2002 05:56:58 -4:00 GMT	202.9.144.121:39247	x.x.x.208:137	UDP
>10/1/2002 08:08:50 -4:00 GMT	218.20.96.67:1025	x.x.x.208:137	UDP
>
>-----BEGIN PGP SIGNATURE-----
>Version: Hush 2.2 (Java)
>Note: This signature can be verified at https://www.hushtools.com/verify
>
>wmMEARECACMFAj2Zv9EcHGphY2tfbWNjYXJ0aHk4QGh1c2htYWlsLmNvbQAKCRAA6VKc
>ODqCXMk1AJ9Hmmpjq2Lwb5URFfYft7rfzlizOQCdF9oH60f6CwVtn9zlzq3YwS6c6p4=
>=WPMc
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>  
>




More information about the list mailing list