I was thinking that it was a worm also, but which one? We did some hunting yesterday & found that some of the PC's that were scanning had both Nimda & a Netware client. We know that when Nimda hits a desktop via e-mail or browser, it scans for open shares. Our hypothses is that the scanning code uses a generic windows system call that the Netware client intercepts & sends out via Netware NCP port 524 and the MS client sends out via Netbios UDP 137. My windows API knowledge is about 10 years old, so I can't be sure how these systems calls work, but it does make for a nice, neat explanation.
Unfortunately most of our employees are on strike this week. That makes it tough to get someone out to a desktop. It's time to start null routing.:-) --Mike bob bobing wrote: > Well the scanning of local class A network, plus the > fact that the src seems to be pc's (is this a fact?), > and the number keeps increasing (assuming more > sources), and its close to the time nimda started. > Also i thought nimda also did netbios scans, or does > it just open shares all over the place. > > Can't really explain 524... > > just a thought. > > --- Ron DuFresne <[EMAIL PROTECTED]> wrote: > >>What makes you think nimda here? Are there any >>reports of nimda using >>other then e-mail and the web to pollinate? >> >>Thanks, >> >>Ron DuFresne >> >>On Mon, 1 Oct 2001, bob bobing wrote: >> >> >>>could be the numda virus, have you scaned the >>> >>machines >> >>>in question. >>>--- Michael Janke <[EMAIL PROTECTED]> wrote: >>> >>>>We've been seeing and increasing number of >>>> >>probes on >> >>>>port 524 >>>>starting about a week ago. >>>> >>>>The probes appear to be coming from ordinary >>>> >>PC's, >> >>>>both internal and >>>>external to our network. The probes follow a >>>> >>regular >> >>>>pattern of 3 >>>>probes followed by DNS and Netbios lookups. The >>>>probes appear to >>>>scan their own class 'A' and 'B' more often than >>>>other networks, >>>>but will jump randomly a percentage of the time. >>>> >>The >> >>>>time between >>>>packets and the packet lengths are very >>>> >>consistent >> >>>>across many >>>>scans. >>>> >>>>Port 524 is normally used for Netware 5.x file >>>>services, but has >>>>also been associated with an old Linux >>>>vulnerability. >>>> >>>>I've isolated a single scan using Netflow data. >>>> >>>>Time SrcIPaddre SrcP DstIPaddress >>>> >>DstP Pr >> >>>>Pkts Octets >>>> >>>>09:24:18 A1.29.208.155 1088 A1.29.237.94 524 >>>> >>>>TCP 3 144 >>>>09:24:28 A1.29.208.155 1089 A1.29.237.94 524 >>>> >>>>TCP 3 144 >>>>09:24:39 A1.29.208.155 1090 A1.29.237.94 524 >>>> >>>>TCP 3 144 >>>>09:24:52 A1.29.208.155 137 <nameserver1> 53 >>>> >>>>UDP 6 360 >>>>09:24:57 A1.29.208.155 137 <nameserver2> 53 >>>> >>>>UDP 6 360 >>>>09:25:01 A1.29.208.155 137 A1.29.237.94 137 >>>> >>>>UDP 3 234 >>>> >>>>09:25:12 A1.29.208.155 1093 A1.201.92.88 524 >>>> >>>>TCP 3 144 >>>>09:25:22 A1.29.208.155 1094 A1.201.92.88 524 >>>> >>>>TCP 3 144 >>>>09:25:33 A1.29.208.155 1095 A1.201.92.88 524 >>>> >>>>TCP 3 144 >>>>09:25:46 A1.29.208.155 137 <nameserver1> 53 >>>> >>>>UDP 6 360 >>>>09:25:51 A1.29.208.155 137 <nameserver2> 53 >>>> >>>>UDP 6 360 >>>>09:25:55 A1.29.208.155 137 A1.201.92.88 137 >>>> >>>>UDP 3 234 >>>> >>>>09:26:06 A1.29.208.155 1098 A1.29.241.245 524 >>>> >>>>TCP 3 144 >>>>09:26:16 A1.29.208.155 1099 A1.29.241.245 524 >>>> >>>>TCP 3 144 >>>>09:26:27 A1.29.208.155 1100 A1.29.241.245 524 >>>> >>>>TCP 3 144 >>>>09:26:40 A1.29.208.155 137 <nameserver1> 53 >>>> >>>>UDP 6 366 >>>>09:26:45 A1.29.208.155 137 <nameserver2> 53 >>>> >>>>UDP 6 366 >>>>09:26:49 A1.29.208.155 137 A1.29.241.245 137 >>>> >>>>UDP 3 234 >>>> >>>>09:27:00 A1.29.208.155 1103 A2.242.13.97 524 >>>> >>TCP >> >>>> 3 144 >>>>09:27:10 A1.29.208.155 1104 A2.242.13.97 524 >>>> >>TCP >> >>>> 3 144 >>>>09:27:21 A1.29.208.155 1105 A2.242.13.97 524 >>>> >>TCP >> >>>> 3 144 >>>> >>>>This is a new pattern to us. Has anybody seen >>>>anthing like it? >>>> >>>>--Mike >>>> >>>>----------------------------------------- >>>>Michael Janke >>>>Director, Network Services >>>>Minnesota State Colleges and Universities >>>>----------------------------------------- >>>> >>>>_______________________________________________ >>>>Firewalls mailing list >>>>[EMAIL PROTECTED] >>>>http://lists.gnac.net/mailman/listinfo/firewalls >>>> >>> >>>__________________________________________________ >>>Do You Yahoo!? >>>Listen to your Yahoo! Mail messages from any >>> >>phone. >> >>>http://phone.yahoo.com >>>_______________________________________________ >>>Firewalls mailing list >>>[EMAIL PROTECTED] >>>http://lists.gnac.net/mailman/listinfo/firewalls >>> >>> >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>"Cutting the space budget really restores my faith >>in humanity. It >>eliminates dreams, goals, and ideals and lets us get >>straight to the >>business of hate, debauchery, and >>self-annihilation." -- Johnny Hart >> ***testing, only testing, and damn good at it >>too!*** >> >>OK, so you're a Ph.D. Just don't touch anything. >> >> > > > __________________________________________________ > Do You Yahoo!? > Listen to your Yahoo! Mail messages from any phone. > http://phone.yahoo.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > -- ----------------------------------------- Michael Janke Minnesota State Colleges and Universities Saint Paul MN 55108 --------From real Server 7.0 startup------ Starting RealServer 7.0 Core... Loading RealServer License Files... Detecting Number of CPUs... Testing 1 CPU(s): 1 CPU Detected, Phew... ----------------------------------------- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
