[Dshield] UDP:137 probes - picking up steam?

David Kennedy CISSP david.kennedy at acm.org
Fri Oct 25 04:52:20 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----

At 11:24 AM 10/24/02 -0500, Brad Wyman wrote:
>
>On Thu, 24 Oct 2002, John Sage wrote:
>
>> Is the UDP:137 background noise picking up steam, or is it just
>> me? 
>>
>
>I noticed this as well, UDP:137 had gotten realy noisy over that
>last few days. i normaly tune it out, but this has me curious
>


Probably Opaserv worm.  It's on its fifth variant in the wild, unless
there's been another discovered in the last few hours.  Bugbear has
been blamed, but it's probably a fraction of the Opaserv.

It's under the radar because competent admins at businesses are
ACLing it, making this primarily a home user problem.  At least one
very large consumer ISP reportedly blocks it.  Because they're under
the radar, it's possible there's either a new variant or a new worm,
but there's still some Qaz running around, so there's more than
enough badness out there on this port.

Everyone with a perimeter router (DSL, wireless, cable too) should
ACL 135-139, in & out, TCP & UDP and go for coffee during the time
they'd otherwise be reading log entries on these ports.  None of my
DShield submissions include these ports.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it

iQCVAwUBPbjOAvGfiIQsciJtAQG1NAP+PpqOGUXWppYmvuRiouOU4q08v6Eg5iLX
Re9pN0G8JLd81yNKLXe3n4T6rfahHYkCB1j34KJPb2WxwdwMGmK7bT148amML/3s
Jeh1cDg4WGqA2m3hbmzlc3ekcuFP43TJXf1DpB7CYlBAZR52dqepnKXS1PX4M8c0
+uYfHkjpYMI=
=rAnQ
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.




More information about the list mailing list