[unisog] I may have spoken too soon (Windows message)
sbernard at gmu.edu
Thu Oct 10 21:54:56 GMT 2002
When the NET SEND command is used, on W2k, it first sends out NetBIOS Name
Service over UDP packets from port 137 to the target on port 137. After 12
of these pairs, in my tests, un-encapsulating UDP packets are sent from an
arbitrary high port on the sender to port 135 on the target. If you know the
message that is being sent you can match that on the first couple of UDP
packets, it's in plain-text.
Systems Engineer, NET
George Mason University
From: Clarke Morledge [mailto:chmorl at wm.edu]
Sent: Thursday, October 10, 2002 3:50 PM
Subject: Re: [unisog] I may have spoken too soon (Windows message)
We've been getting both of these "diploma" and "poetry" messages, and like
Martin, we block ports 137-139 at the firewall.
(1) Does anybody know how we are getting hit by this?
(2) Does anybody have any IDS signatures to detect it?
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu
More information about the unisog