Date: Fri, 6 Mar 1998 18:05:44 -0600 (CST) From: "Kenneth P. Stox" <ken@stox.sa.enteract.com> To: David Babler <root@rigel.orionsys.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Port 137 access - somebody monkeying around? Message-ID: <Pine.BSF.3.96.980306173826.6284B-100000@m4.stox.sa.enteract.com> In-Reply-To: <Pine.BSF.3.96.980306132649.6827G-100000@Rigel.orionsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sounds like someone may be probing for targets of a teardrop attack. As you may know, many sites (UC Berkeley, etc. ) were attcked this week. The attack did seem to target nets which had NT/Lose95 machines. I would definately keep on eye on it. On Fri, 6 Mar 1998, David Babler wrote: > > Perhaps this might belong to FreeBSD-security, but what the hey - it > involves ISPs too... > > My ipfw rules deny and log all services that I don't support here, and > I've noticed that I will often see a string of access attempts on my port > 137 (NetBIOS Name Service) from foreign addresses (not once from any of my > dialup customers). I was under the impression that these contacts might be > Bad Guys trying to take advantage of some known exploit, thinking I was > running NT or something. Is that a valid assumption, or is there some > legitimate reason why foreign IPs should be trying to connect to that > port? I complained once to a system one of whose dialup customers > continued a port 137 probe on and off for an hour. When the user was > contacted, he claimed he had NO IDEA what we were talking about, that he > might have just "tried something" with a browser. > > Am I being too paranoid? > > -Dave > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980306173826.6284B-100000>