[Snort-users] Netbios attack

Bill Marquette wlmarque at ...8...
Wed Nov 15 17:12:37 EST 2000


There are a number of virii/worms in the wild that exhibit this behavior.  A
number of them distribute the distributed.net RC5DES software in an attempt to
commandeer your spare CPU cycles.  There's an excellent article on this traffic
written by "The Honeynet Project" at:
http://www.enteract.com/~lspitz/worm.html
As a point of reference, across our internet presence (a handful of /24's) we
see anywhere between 50-300 events per day (events are based on source address).

--Bill



From: "Robert L. Yelvington" <rly at ...579...> on 11/15/2000 04:20 PM

To:   Michael Smith <msmith4 at ...795...>
      "'snort-users at lists.sourceforge.net'" <snort-users at lists.sourceforge.net>
cc:
Client:
Subject:  Re: [Snort-users] Netbios attack



Regarding the increase in port 137 scans, i've noticed this as well...

robt

Michael Smith wrote:
>
> I got a portscan on 137 from rr.com.  Of course, I've got a Debian box with
> nothing listening on 137, so there's no harm done.  I sent them the log entry
> and a short message that said that they might have a problem with that box.
> Their reply was that the probe I received was most likely a reply to some
> sort of web surfing that I was doing and that maybe if I had a more
> sophistocated alarm installed, it would show this.  I laughed.  Oh well, I
> was trying to do them a favor.
>
> At any rate, I've been seeing an increase in port 137 scans over the past
> month or so.
>
> Dr SuSE wrote:
>
> > The second attempt from 24.163.71.18 which resolved to an rr.com host was
> > quick and simple.  This person did establish a netbios connection, then
> > attempted to access the C drive but once again it was rejected by my
> > machine since the C drive was not shared.
> >
>
> --
> Michael J. Smith msmith4 at ...795...
> 2250 Patterson #25 Eugene, OR 97405
> (541)346-7562
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users









More information about the Snort-users mailing list