From: Kenn Humborg (kenn at domain avalon.wombat.ie)
Date: Sat 18 Sep 1999 - 14:09:22 IST
On Sat, Sep 18, 1999 at 10:51:42AM +0100, Thomas Ribbrock wrote:
> Hi folks,
>
> I'm in need of some insight here...
>
> I've sentry installed on my PC and over the past weeks I frequently get
> attack alerts with regard to connections on port 137 from different servers.
> A typical log would look like this:
>
> Sep 18 10:30:40 angua abacus_sentry[418]: attackalert: Connect from host: bf-web
> .bord-failte.iol.ie/194.125.40.195 to TCP port: 137
> Sep 18 10:30:40 angua abacus_sentry[418]: attackalert: Host 194.125.40.195 has b
> een blocked via wrappers.
> Sep 18 10:30:40 angua abacus_sentry[418]: attackalert: Host 194.125.40.195 has b
> een blocked via dropped route.
> Sep 18 10:30:42 angua abacus_sentry[418]: attackalert: Connect from host: bf-web
> .bord-failte.iol.ie/194.125.40.195 to TCP port: 137
> Sep 18 10:30:42 angua abacus_sentry[418]: attackalert: Host: 194.125.40.195 is a
> lready blocked. Ignoring
I've heard that IIS often does netbios lookups on the connecting machine. It
probably does some funny, proprietary type of authentication if the client
is running Windows.
If you want to see what's in the packets, use tcpdump:
# tcpdump -i ppp0 port 137 -s 1000
Probably won't give you much useful info unless you can interpret the innards
of netbios stuff.
Alternatively, you might try running Samba's nmbd with loads of logging.
nmbd listens on port 137.
Later,
Kenn
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:34 GMT