[unisog] Unusual volume: UDP:137 probes

Saracini, Bill SaraciniW at health.missouri.edu
Mon Sep 30 15:36:20 GMT 2002


Our network folks think that maybe the internal machine was tagged with a worm that used 224.0.0.x as the starting point of a scan and caused the switches to believe new groups were being requested. Created quite a load on the gear.  We are digging further, but it might be something to worry about if you're routing multicast.

We are still looking at the netbios stuff - we had at least two machines compromised, including one that did the multicast.  We don't know which vermin got them, yet.

Thanks!

Bill


-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Monday, September 30, 2002 10:07 AM
To: Saracini, Bill
Cc: unisog at sans.org
Subject: Re: [unisog] Unusual volume: UDP:137 probes


On Mon, Sep 30, 2002 at 08:56:28AM -0500, Saracini, Bill wrote:
> We saw the same increase - about 15 times the normal volume.
However, we also had a machine creating rapid sequential multicast
groups causing havoc in our switching gear.  We are doing forensics,
but we'd like to know if this is the first wave of another attack
type.  Anybody see something similar this weekend?

"..first wave of another attack type.." -- do you mean the box
creating the multicast groups? What protocol?

As far as the UDP flood goes (and it continues here, unabated, at
this moment..) I've been wondering what *it's* up to.

Seems that it may be mapping; or, just something that's been turned on
over a *very* widespread scope and just allowed to run. Whatever it
is, it seems to be global in source, and is just going on and on and
on...

A new Internet "background noise"?



- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



More information about the unisog mailing list