Re: Scan UDP port 135

On Tue, Jan 28, 2003 at 12:28:33PM -0300, Gkruel wrote:
> I?ve noticed that since 01/24 00:14 GMT -0200, til today, different IP?s

> They send one packet each 30 seconds, one for each IP of my whole range.

> The source IP?s are different from any IP sending the slammer worm for me,

        It's not a scan. It's spam. They've figured out that they can send "pop-up" alerter messages to open Windows boxen in a single UDP packet so they're laying back and firing at will. I heard a report of one such spammer firing off at 5 Mbps continuous. Only reason he was tracked back was that his ISP doesn't allow spoofed packets (HINT TO THE REST OF YOU) and so the source addresses were legit. I actually have some sample packets in hand (some captured in the wild some provided to me) and they even work when transmitted to broadcast addresses and "network addresses" (the all zeros address) (SECOND HINT - BLOCK DIRECTED BROADCASTS AND SUBNET ADDRESSES). Net (excuse the pun) result is that if you have vulnerable hosts on a network, they get three for the price of one as these chumps hit first your network address, then the unicast address, then the broadcast address.

        Microsoft even has a KB article on it.

        <http://support.microsoft.com/?id=330904>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

        They now recommend blocking numerous Netbios/Windows related ports. Not enough, yet, considering MS-SQL Spida and now MS-SQL Slammer. Add 1433 and 1434 to the list they provide in their KB article, I guess. :-(

        Oh, the article predates the trick the spammers figured out where they only need one packet and can spoof the source. The article was when there was three or four packets and some handshaking. It's gotten MUCH worse since then.

> Here are some of them:

> I?m used to receive tons of UDP 137, on random IP?s, but never to my whole

        UDP 137 is mostly OpaServ and related MSTDs (MicroSoft Transmitted Diseases). I'm capturing piles of them in my honeypots. :-( The various OpaServ varients lead the pack by and order of magnitude, beating out even Nimda in netbios share propagation (which is in second place).

> Is it some other simple probe directed specifically to me, and i?m

        And supports the Netbios alerter service which is used for administrative pop-up messages. Old news. Just getting worse.

> Thanks

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

        Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  
http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!