[Dshield] UDP:137 probes - picking up steam?

David Kennedy CISSP david.kennedy at acm.org
Fri Oct 25 04:52:20 GMT 2002


At 11:24 AM 10/24/02 -0500, Brad Wyman wrote:
>On Thu, 24 Oct 2002, John Sage wrote:
>> Is the UDP:137 background noise picking up steam, or is it just
>> me? 
>I noticed this as well, UDP:137 had gotten realy noisy over that
>last few days. i normaly tune it out, but this has me curious

Probably Opaserv worm.  It's on its fifth variant in the wild, unless
there's been another discovered in the last few hours.  Bugbear has
been blamed, but it's probably a fraction of the Opaserv.

It's under the radar because competent admins at businesses are
ACLing it, making this primarily a home user problem.  At least one
very large consumer ISP reportedly blocks it.  Because they're under
the radar, it's possible there's either a new variant or a new worm,
but there's still some Qaz running around, so there's more than
enough badness out there on this port.

Everyone with a perimeter router (DSL, wireless, cable too) should
ACL 135-139, in & out, TCP & UDP and go for coffee during the time
they'd otherwise be reading log entries on these ports.  None of my
DShield submissions include these ports.

Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it



David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.

More information about the list mailing list