[unisog] Unusual volume: UDP:137 probes

Peter Van Epp vanepp at sfu.ca
Mon Sep 30 16:45:34 GMT 2002

	There was a report (so far unconfirmed from any of the usual sources
such as bugtraq) that the 137 scans are a new varient of the slapd worm that
is in the wild. We too are seeing continued scans (although they aren't 
bothering anything here). Haven't seen a problem with multicast (other than
users running ghost and a Mac that went nuts with Appletalk multicast routing
updates and crashed its switch last week some time).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> On Mon, Sep 30, 2002 at 08:56:28AM -0500, Saracini, Bill wrote:
> > We saw the same increase - about 15 times the normal volume.
> However, we also had a machine creating rapid sequential multicast
> groups causing havoc in our switching gear.  We are doing forensics,
> but we'd like to know if this is the first wave of another attack
> type.  Anybody see something similar this weekend?
> "..first wave of another attack type.." -- do you mean the box
> creating the multicast groups? What protocol?
> As far as the UDP flood goes (and it continues here, unabated, at
> this moment..) I've been wondering what *it's* up to.
> Seems that it may be mapping; or, just something that's been turned on
> over a *very* widespread scope and just allowed to run. Whatever it
> is, it seems to be global in source, and is just going on and on and
> on...
> A new Internet "background noise"?
> - John
> -- 
> "It's a troll! Run!^H^H^H^H Laugh!"
> PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the unisog mailing list