---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/02
Thanks for posting this. Several of us have been receiving hundreds of these
port 137 scans in the grc.security newsgroups
Unfortunately the security and anti-virus sites are not saying
anything yet so at the moment what ever is casuing this is unknown.
Port 137 is NetBIOS Name Service so my guess is that someting/someone is
seaching out networks that have NetBIOS installed and looking for computer
names maybe in an attempt to connect to those computer.
A pure guess on my part... I explicitly denied 137 on my FW jut to be on
the safe side.
--
Rob
Could it be another SSL variant - I think not as we are seeing Windows
workstations being infected.
On Mon, 30 Sep 2002 01:18:30 GMT, "Tie Dye"
<i~fly~vfr~@worldnet.att.net> wrote:
There's a _little_ bit getting around about it but not much. About all
I've been able to glean is that port 137 UDP traffic is on the rise
http://isc.incidents.org/ has a bit of a blurb. But you already
knew that.
So far about the only thing that can be said for sure is that they're
not genuine netbios-ns lookups. if they're legit the broadcast bit is
not set and the source port is 137. In all cases the appearances in
my logs[1] have the broadcast bit set and the source port is mostly
between 1025 and 1036. The other thing of note that I've seen is that
the rate of hits is increasing.
Interesting indeed. I too wonder what it all means. A honeypot on a
well connected network could perhaps provide some interesting stuff...;-)
[deletia]
[1] My connection is via Optus cable and Optus block many things
so I can't say for sure if I'm seeing the "real deal(tm)".
--
Ooroo
Mark F...
Another Optus Cable Traffic Monitor.
http://www.members.optushome.com.au/forsythm/traff/
Did you mean Windows workstations affected instead of infected?? It could
very well be another SSL variant. This worm is not particular as to the OS
on the workstation/server till it finds what it's looking for. Code
Red/Nimda showed up in logs on nearly every OS out there!! Nothing to worry
about on a properly patched $MS box or Unix/Linux boxes.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/2002
I'm very nearly convinced that it's
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_OPASOFT.A&VSect=T
Have a read of:-
https://grc.com/x/news.exe?cmd=article&group=grc.security&item=59379&utag=
Beware wrapping URL's
> Yip we are also blocking on the client routers but this is obviously
> very time consuming.
>
> Could it be another SSL variant - I think not as we are seeing Windows
> workstations being infected.
www.symantec.com.
Click the two latest security alerts on the left side of the page.
E.
Indeed
<URL:http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.
worm.html>
<http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm
.html>
and
<URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbug
traq&F=P&S=&P=72>
<http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq
&F=P&S=&P=72>
Regards
--
Dave English,
Client Software Development, Thus PLC,
Dorking Business Park, DORKING, Surrey, UK. RH4 1HJ
http://www.thus.net
Unlikely to be W32/Bugbear. None of the hosts that I have a recent log entry
for and that are still online have port 36794 open.
It's possible that it is what Symantec are calling W32.Opaserv.Worm. See :-
https://grc.com/x/news.exe?cmd=article&group=grc.security&item=59379&utag=
and
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASOFT.A
Don't sweat the details. Just throw all traffic from commonly used
NetBIOS ports on the floor. Have a look at:-
http://isc.incidents.org/analysis.html?id=170
and visit the two links under Bugbear and Scrup.
Since 26-Jun I've seen 2,453 hits from 2,343 unique addresses. The rate of
hits has risen to something of a crescendo over the last few days.
Have a look at the graph at :-
http://isc.incidents.org/port_details.html?port=137
Also have a look at :-
http://members.optushome.com.au/forsythm/traff/traffanal_w.htm
The rise in the "Bytes DENIED by Firewall" is solely attributable
to the port 137 UDP hits. The usual clutter has remained normal.