[unisog] Heavy UDP port 137 scans today?

John Sage jsage at finchhaven.com
Sun Sep 29 07:15:43 GMT 2002


Mike:

On Sat, Sep 28, 2002 at 06:17:04PM -0700, Mike Iglesias wrote:
> We've seen a dramatic increase in UDP port 137 scans of our campus, starting
> last night (Friday) around 5:30pm PDT.
> 
> The number of unique IPs scanning us on UDP ports has been around 5-25
> for the last two weeks, until yesterday when it hit 870 and so far
> today it's around 3200 IPs that have hit us with scans (almost all of
> them against port 137).
> 
> Is anyone else seeing this?

Yes.

I'm a dialup into AT&T's Seattle WA POP; seen 85 UDP:137 packets since
this AM 09/28/02 PDT.

Only several source IP addresses have repeated; source ports all in
the range 1024-1032 with very few outside that range; most TTL's in
the range 107-115; the packet contents *seem* to be normal UDP:137
stuff.

A sample:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/28-07:56:52.009771 66.166.63.138:1028 -> 12.82.137.228:137
UDP TTL:115 TOS:0x0 ID:20655 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E 50 AF 00 00 73 11 DE 89 42 A6 3F 8A  E..NP...s...B.?.
0x0010: 0C 52 89 E4 04 04 00 89 00 3A A3 3D 01 00 00 10  .R.......:.=....
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..

[toot at sparky /]# host 66.166.63.138
138.63.166.66.in-addr.arpa. domain name pointer
+h-66-166-63-138.HSTQTX02.covad.net.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/28-08:09:19.554838 61.38.215.123:1025 -> 12.82.137.228:137
UDP TTL:107 TOS:0x0 ID:13345 IpLen:20 DgmLen:78
Len: 58
0x0000: 45 00 00 4E 34 21 00 00 6B 11 70 A6 3D 26 D7 7B  E..N4!..k.p.=&.{
0x0010: 0C 52 89 E4 04 01 00 89 00 3A 10 CF 01 00 00 10  .R.......:......
0x0020: 00 01 00 00 00 00 00 00 20 43 4B 41 41 41 41 41  ........ CKAAAAA
0x0030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 00 00 21 00 01        AAAAAAAAA..!..

inetnum:      61.38.215.96 - 61.38.215.127
netname:      BLUE4018808D
descr:        Blue Sky
descr:        PC Game Plaza User in
descr:        Shinahm4-dong Dong-gu TAEGU
country:      KR

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Source hosts are all over the globe. I've done host name or whois
lookups for the first 20% or so...

Note that this has continued even after I've disconnected and redialed
into AT&T's Seattle WA POP, and have a different dest IP.



- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



More information about the unisog mailing list