[Dshield] MS patch KB824105 starts strange UDP/137 probes?

Erwin Fritz efritz at glja.com
Thu Sep 18 20:24:08 GMT 2003


I'm running into an interesting situation in my corporate LAN. We have 
two W2K (SP3) machines, to which we applied KB824105. This is a NetBIOS 
security patch.

Ever since the machines were patched, I'm seeing UDP/137 traffic from 
them to 192.1.1.1, every ten minutes. My firewall blocks UDP/137 
(NetBIOS name requests), naturally, so no harm is done. Four or five 
packets are sent each time.

I'm intrigued, since 192.1.1.1 isn't a reserved IP address. That address 
isn't currently assigned to anything, though.

Anybody else run into this?
-- 
Erwin Fritz
Gilbert Laustsen Jung Associates Ltd.




More information about the list mailing list