[Dshield] Port 137 activity

John Sage jsage at finchhaven.com
Wed Jun 11 13:34:39 GMT 2003


Generally, I'd say that's quite common.

On Wed, Jun 11, 2003 at 07:46:13AM -0500, John Dalton wrote:
> 108 probes from 108 sources on UDP port 137 in a 12 hour period. That stands
> out as quite out of place. I do not have a logger, so I would not be able to
> pick up packets to show though. Anyone else seeing this.


Total packets to port 137 in alert.full-Jun.05.06:15: 375
Total packets to port 139 in alert.full-Jun.05.06:15: 69
Total packets to port 445 in alert.full-Jun.05.06:15: 111

Total packets to port 137 in alert.full-Jun.06.05:34: 363
Total packets to port 139 in alert.full-Jun.06.05:34: 4702
Total packets to port 445 in alert.full-Jun.06.05:34: 3200

Total packets to port 137 in alert.full-Jun.07.05:45: 287
Total packets to port 139 in alert.full-Jun.07.05:45: 94
Total packets to port 445 in alert.full-Jun.07.05:45: 128

Total packets to port 137 in alert.full-Jun.08.06:40: 152
Total packets to port 139 in alert.full-Jun.08.06:40: 1046
Total packets to port 445 in alert.full-Jun.08.06:40: 492

Total packets to port 137 in alert.full-Jun.09.06:51: 269
Total packets to port 139 in alert.full-Jun.09.06:51: 653
Total packets to port 445 in alert.full-Jun.09.06:51: 289

Total packets to port 137 in alert.full-Jun.10.07:00: 240
Total packets to port 139 in alert.full-Jun.10.07:00: 57
Total packets to port 445 in alert.full-Jun.10.07:00: 233


There are several exploits/worms/trojans etc etc about right now that
look for open Windown shares..

Regarding UDP:137 itself, I'll bet what you are seeing is the common
crow-call:

<snip>
#
U 2003/06/10 07:34:00.331404 69.34.113.232:18940 -> 12.82.162.139:137
  00 3c 00 10 00 01 00 00    00 00 00 00 20 43 4b 41    .<.......... CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..
#
U 2003/06/10 07:34:07.962200 200.67.51.76:1025 -> 12.82.162.139:137
  01 00 00 10 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..
#
U 2003/06/10 07:36:33.707136 81.48.179.26:1027 -> 12.82.162.139:137
  01 00 00 10 00 01 00 00    00 00 00 00 20 43 4b 41    ............ CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..
#
<snip>

- John
-- 
"Obviously, we do not want to leave zombies around."

See our exciting, all-new look! http://www.finchhaven.com/




More information about the list mailing list