[Dshield] [LOGS] Odd: UDP:137 probes

John Sage jsage at finchhaven.com
Sat Sep 28 22:31:55 GMT 2002


Odd?

42 probes and counting; no two from the same source IP; the source
port, however, varies little: 1025, 1026, 1027, 1028, 1029, and then
scattered others. TTL's are all around 107-115, which suggests
something Win-ish as the source hosts, decrementing the TTL from 128.


#103-137| [2002-09-28 12:03:11]   12.82.138.100:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-120| [2002-09-28 11:42:04] 193.152.210.254:1027 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-147| [2002-09-28 12:22:24]   196.32.149.73:1026 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-112| [2002-09-28 11:27:49]    200.4.254.36:1028 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-92| [2002-09-28 08:28:17]   200.48.189.83:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-103| [2002-09-28 09:37:03]   200.67.189.25:1104 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-151| [2002-09-28 13:08:58]    200.73.40.36:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-114| [2002-09-28 11:29:53]    203.79.191.2:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-96| [2002-09-28 08:44:58]   208.169.78.68:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-161| [2002-09-28 14:15:01] 210.143.153.199:1027 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-150| [2002-09-28 12:55:08]  211.254.125.61:1026 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-111| [2002-09-28 11:22:32]   211.53.129.93:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-159| [2002-09-28 14:04:12]    211.79.78.87:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-100| [2002-09-28 09:27:08]     213.7.99.39:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-10| [2002-09-28 08:16:01]   213.99.139.72:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-101| [2002-09-28 09:27:26]  217.82.175.205:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-108| [2002-09-28 11:03:55]  218.148.219.35:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-152| [2002-09-28 13:09:05] 218.165.176.121:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-91| [2002-09-28 08:24:26] 218.233.193.141:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-149| [2002-09-28 12:54:39] 218.234.212.131:1029 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-95| [2002-09-28 08:42:25]   24.141.33.160:1028 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-98| [2002-09-28 09:19:18]  24.243.165.244:3292 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-153| [2002-09-28 13:35:10]   24.87.161.126:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-94| [2002-09-28 08:40:53]   61.224.197.67:1026 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-110| [2002-09-28 11:17:42]   61.230.125.62:1027 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-113| [2002-09-28 11:29:35]    61.32.145.18:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-106| [2002-09-28 10:11:21]    61.33.113.32:1038 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-109| [2002-09-28 11:11:30]    61.37.180.38:1035 -> 12.82.137.228:137  UDP to 137 netBIOS ns
  #103-8| [2002-09-28 08:09:19]   61.38.215.123:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-97| [2002-09-28 08:52:25]     61.41.63.28:1027 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-107| [2002-09-28 10:37:58]   62.194.62.223:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-93| [2002-09-28 08:31:16]  62.251.162.162:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
  #103-9| [2002-09-28 08:10:47]   62.30.228.119:1026 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-119| [2002-09-28 11:39:06]    63.105.27.99:1733 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-105| [2002-09-28 10:10:13]   64.231.161.28:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
 #103-99| [2002-09-28 09:20:42]     65.92.17.40:1028 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-104| [2002-09-28 10:06:29]   66.127.27.202:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
  #103-7| [2002-09-28 07:56:52]   66.166.63.138:1028 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-148| [2002-09-28 12:24:46]    67.34.15.158:1414 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-154| [2002-09-28 13:48:02]      67.81.3.84:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-160| [2002-09-28 14:05:56]   80.133.59.196:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns
#103-102| [2002-09-28 09:36:05]  80.138.180.106:1025 -> 12.82.137.228:137  UDP to 137 netBIOS ns


Packet contents seem to be "normal" for this sort of thing:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
09/28-07:56:52.009771 66.166.63.138:1028 -> 12.82.137.228:137
UDP TTL:115 TOS:0x0 ID:20655 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E 50 AF 00 00 73 11 DE 89 42 A6 3F 8A  E..NP...s...B.?.
0x0010: 0C 52 89 E4 04 04 00 89 00 3A A3 3D 01 00 00 10  .R.......:.=....
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!.. 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
09/28-08:09:19.554838 61.38.215.123:1025 -> 12.82.137.228:137
UDP TTL:107 TOS:0x0 ID:13345 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E 34 21 00 00 6B 11 70 A6 3D 26 D7 7B  E..N4!..k.p.=&.{
0x0010: 0C 52 89 E4 04 01 00 89 00 3A 10 CF 01 00 00 10  .R.......:......
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!.. 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
09/28-08:10:47.013637 62.30.228.119:1026 -> 12.82.137.228:137
UDP TTL:111 TOS:0x0 ID:6105 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E 17 D9 00 00 6F 11 7A FA 3E 1E E4 77  E..N....o.z.>..w
0x0010: 0C 52 89 E4 04 02 00 89 00 3A 02 DA 01 00 00 10  .R.......:......
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!.. 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
09/28-08:16:01.315182 213.99.139.72:1025 -> 12.82.137.228:137
UDP TTL:107 TOS:0x0 ID:60720 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E ED 30 00 00 6B 11 6B 8C D5 63 8B 48  E..N.0..k.k..c.H
0x0010: 0C 52 89 E4 04 01 00 89 00 3A C4 C4 01 00 00 10  .R.......:......
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!.. 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
09/28-08:24:26.786360 218.233.193.141:1025 -> 12.82.137.228:137
UDP TTL:113 TOS:0x0 ID:51598 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E C9 8E 00 00 71 11 4D 63 DA E9 C1 8D  E..N....q.Mc....
0x0010: 0C 52 89 E4 04 01 00 89 00 3A 88 F9 01 00 00 10  .R.......:......
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
<snip>


- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list