[unisog] I may have spoken too soon (Windows message)

Steve Bernard sbernard at gmu.edu
Thu Oct 10 21:54:56 GMT 2002

When the NET SEND command is used, on W2k, it first sends out NetBIOS Name
Service over UDP packets from port 137 to the target on port 137. After 12
of these pairs, in my tests, un-encapsulating UDP packets are sent from an
arbitrary high port on the sender to port 135 on the target. If you know the
message that is being sent you can match that on the first couple of UDP
packets, it's in plain-text.

Steve Bernard
Systems Engineer, NET
George Mason University
Fairfax, VA

-----Original Message-----
From: Clarke Morledge [mailto:chmorl at wm.edu]
Sent: Thursday, October 10, 2002 3:50 PM
To: unisog
Subject: Re: [unisog] I may have spoken too soon (Windows message)

We've been getting both of these "diploma" and "poetry" messages, and like
Martin, we block ports 137-139 at the firewall.

Two questions:

(1) Does anybody know how we are getting hit by this?

(2) Does anybody have any IDS signatures to detect it?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

More information about the unisog mailing list