# # SCAN OF THE MONTH #7: 30 September # # Contest to see who can determine which tool # was used and the purpose of this scan. Packet # decodes using snort (http://www.snort.org). # # The following signatures were captured in the wild. A site # is being probed for Microsoft vulnerabilities. QUESTION -------- 1. What can we tell about the purpose of these Window scans? Over the past two weeks our network has seen MASSIVE abounts of port 137 UDP (nbname) and port 139 TCP (nbsession) scans. What is the purpose of this sudden increase in scans? ANSWER ------ Various Window based worms that probe for and find system shares. "Know Your Enemy: Worms at War" http://www.enteract.com/~lspitz/worm.html Some input from the security community: Date: Sat, 14 Oct 2000 21:53:26 +0200 From: Mikael Olsson To: lance@spitzner.net Subject: Scan of the month nbname+nbsession: Do you remember that batch-file virus from a couple of months ago? It just looked for unprotected computers by spam-scanning large american ISP networks, accessed their c$ share, and installed itself there. Wash, rinse, repeat. :) Date: Mon, 16 Oct 2000 17:57:04 +0200 From: Urs Roost To: lance@spitzner.net Subject: Scan of the month I would say its from a machine which got the netlog worm. The only thing which looks a bit strange is that it tries to attack a RFC1918 address. http://www.sans.org/y2k/honeypot_catch.htm http://www.cert.org/incident_notes/IN-2000-02.html Date: Fri, 13 Oct 2000 08:03:46 +0200 From: Andreas Lindenblatt To: Lance Spitzner Subject: Re: Scan of the month September:) Hi Lance, > Could you hook me up with a link on this? I've been travelling WAY > too much this week. jupp: http://www.microsoft.com/technet/security/bulletin/fq00-072.asp Example code is at: http://www.nsfocus.com/english/homepage/sa_05.htm PACKET ANALYSIS --------------- UDP 137 (nbname) 09/29-22:41:49.652232 216.50.11.237:137 -> 172.16.1.103:137 UDP TTL:113 TOS:0x0 ID:812 Len: 58 45 04 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 E........... CKA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! 00 01 TCP 139 (nbession) 09/29-15:50:33.294683 216.79.164.118:4889 -> 172.16.1.109:139 TCP TTL:114 TOS:0x0 ID:31663 DF **S***** Seq: 0xBD49393 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 1460 NOP NOP SackOK ACTUAL SCANS PAST TWO WEEKS (since 18 Sept) ------------------------------------------- adsl-78-180-95.lft.bellsouth.net 18Sep2000 14:03:31 nbsession host-216-79-219-177.chs.bellsouth.net 18Sep2000 23:32:32 nbsession 216.79.122.248 19Sep2000 1:46:20 nbsession 216-80-54-235.d.enteract.com 19Sep2000 15:07:34 nbsession 216.79.67.3 19Sep2000 18:59:02 nbsession 216.80.178.37 19Sep2000 21:36:59 nbsession adsl-78-197-196.sdf.bellsouth.net 20Sep2000 1:03:16 nbsession 216.181.210.83 20Sep2000 8:03:51 nbname adsl-78-140-172.atl.bellsouth.net 20Sep2000 9:09:03 nbsession 8.8.8.8 20Sep2000 11:58:04 nbname holder44.net178.connectsouth.net 20Sep2000 11:58:04 nbname adsl-78-200-204.tys.bellsouth.net 20Sep2000 13:38:54 nbsession 216.133.163.22 20Sep2000 16:22:48 nbname 216.125.192.18 21Sep2000 9:39:27 nbname 216.106.7.204 21Sep2000 19:39:49 nbname adsl-78-193-159.mia.bellsouth.net 21Sep2000 20:29:32 nbsession 216-119-12-37.smf.jps.net 21Sep2000 21:52:09 nbname adsl-78-217-250.rdu.bellsouth.net 22Sep2000 1:25:08 nbname adsl-79-140-75.atl.bellsouth.net 22Sep2000 6:08:14 nbsession 216-80-54-234.d.enteract.com 22Sep2000 10:58:05 nbsession 169.254.171.159 22Sep2000 10:58:25 nbname 216.62.59.89 22Sep2000 12:50:46 nbname 216-80-54-156.d.enteract.com 22Sep2000 21:41:36 nbsession 216-118-63-242.pdq.net 23Sep2000 0:01:59 nbname bl0k9c4b131l.bc.hsia.telus.net 23Sep2000 2:31:53 nbname 216-174-250-28.atgi.net 23Sep2000 3:04:33 nbname 216.244.164.150 23Sep2000 12:19:53 nbname host-216-78-95-64.jax.bellsouth.net 23Sep2000 16:07:16 nbsession 18.MLCOOP.COM 23Sep2000 16:28:27 nbsession adsl-78-165-197.gsp.bellsouth.net 23Sep2000 17:16:55 nbsession HSE-Toronto-ppp94503.sympatico.ca 23Sep2000 18:46:12 nbname 216.244.151.163 23Sep2000 20:59:53 nbname PAINCON-15.PAINCONSULTANTS.COM 23Sep2000 21:53:58 nbsession adsl-78-140-172.atl.bellsouth.net 23Sep2000 23:41:56 nbsession 216.91.216.155 23Sep2000 23:58:29 nbname gresham-08.adsl-fr-06.pacificglobal.net 24Sep2000 1:19:11 nbname rojo-3.dsl.speakeasy.net 24Sep2000 2:55:59 nbname dsl1-216-90-11-169.symet.net 24Sep2000 5:48:34 nbname 216.251.18.100 24Sep2000 6:01:48 nbname 216.80.174.14 24Sep2000 6:45:49 nbsession 216-80-74-151.dsl.enteract.com 24Sep2000 7:53:28 nbsession adsl-78-200-226.tys.bellsouth.net 24Sep2000 10:45:02 nbname 216-80-13-68.d.enteract.com 24Sep2000 11:08:24 nbsession adsl-216-100-226-213.dsl.snfc21.pacbell.net 24Sep2000 15:53:38 nbname qs-w-275.mint.net 24Sep2000 17:08:23 nbname HSE-Kitchener-ppp194213.sympatico.ca 24Sep2000 18:19:45 nbname arc9-37.wblt.netwalk.net 24Sep2000 18:57:01 nbname 216.79.104.52 24Sep2000 20:29:05 nbsession nbp-43.nbplp.com 24Sep2000 20:35:44 nbname adsl-79-141-143.atl.bellsouth.net 25Sep2000 1:07:40 nbsession diablo.c-zone.net 25Sep2000 8:18:49 nbname whirly214.august.net 25Sep2000 11:58:08 nbname 216.244.138.162 25Sep2000 14:41:32 nbname 216-80-54-9.d.enteract.com 25Sep2000 16:00:05 nbsession 169.254.184.146 25Sep2000 16:00:25 nbname 216-80-74-158.dsl.enteract.com 25Sep2000 16:58:35 nbsession 216.2.247.204 25Sep2000 18:07:13 nbname 216.61.90.56 25Sep2000 18:07:20 nbname daisy.daisycorp.com 25Sep2000 18:19:04 nbname 216.61.195.10 25Sep2000 18:25:25 nbname 216.60.75.171 25Sep2000 19:10:25 nbname r82aap001486.nyr.cable.rcn.com 25Sep2000 20:32:47 nbname 216-80-74-151.dsl.enteract.com 26Sep2000 7:45:25 nbsession 17.MLCOOP.COM 26Sep2000 8:31:19 nbsession r23-75-dsl.sea.lightrealm.net 26Sep2000 9:06:53 nbname 216.198.19.6 26Sep2000 10:51:38 nbname gdslppp178.phnx.uswest.net 26Sep2000 11:14:31 nbname bkgc27lpy53ye.bc.hsia.telus.net 26Sep2000 11:46:39 nbname 216.80.174.14 26Sep2000 13:34:32 nbsession HSE-Montreal-ppp33521.qc.sympatico.ca 26Sep2000 14:02:08 nbname adsl-78-161-49.gnv.bellsouth.net 26Sep2000 14:18:31 nbname ppp216-136-125-240.internetwis.com 26Sep2000 15:09:50 nbname dyn104-tnt01.athens.frognet.net 26Sep2000 15:33:07 nbname 216.132.160.116 26Sep2000 16:43:36 nbname 216.244.164.51 26Sep2000 17:07:25 nbname adsl-78-218-81.rdu.bellsouth.net 26Sep2000 17:50:05 nbsession 216.253.133.7 26Sep2000 17:50:50 nbname 216.242.111.97 26Sep2000 19:06:16 nbname 216.233.59.149 26Sep2000 19:22:13 nbname node-d8e9b5c2.powerinter.net 26Sep2000 20:06:39 nbname eng028c4y47nh.bc.hsia.telus.net 26Sep2000 21:12:12 nbname asalenieks.cpe.dsl.enteract.com 26Sep2000 21:13:19 nbname 01-moul-081.dial.optilinkcomm.net 26Sep2000 22:04:40 nbname adsl-port-126-8.isoc.net 26Sep2000 22:11:43 nbname adsl-129-220-223-216.ny.inch.com 26Sep2000 22:36:38 nbname pc06.bakerdrywall.urdirect.net 26Sep2000 22:57:58 nbname 216.244.170.125 26Sep2000 23:15:49 nbname b76d004.dunhamlaw.com 26Sep2000 23:27:41 nbname tlgnt13.daf.concentric.net 26Sep2000 23:29:42 nbname 216.62.59.89 26Sep2000 23:51:55 nbname 216.1.85.20 27Sep2000 3:34:31 nbname 216.106.23.129 27Sep2000 4:40:13 nbname 216-161-163-141.customers.uswest.net 27Sep2000 7:55:09 nbname 216.181.239.89 27Sep2000 9:22:35 nbname dsl-216-227-103-41.telocity.com 27Sep2000 9:40:28 nbname 216-80-54-14.d.enteract.com 27Sep2000 9:50:56 nbsession 216-80-54-163.d.enteract.com 27Sep2000 11:12:08 nbsession d83b5635.dsl.flashcom.net 27Sep2000 11:26:55 nbname adsl-216-62-177-225.dsl.hstntx.swbell.net 27Sep2000 11:51:58 nbname adsl-216-62-177-229.dsl.hstntx.swbell.net 27Sep2000 11:51:58 nbname 216.251.65.133 27Sep2000 12:03:24 nbname SA5399-109-46.stic.net 27Sep2000 12:05:57 nbname 216.251.65.165 27Sep2000 12:07:21 nbname bob.compar.com 27Sep2000 13:16:04 nbname mortimer.renc.igs.net 27Sep2000 13:24:40 nbname 1.uaf.dsl.enteract.com 27Sep2000 13:33:49 nbsession hsa008.pool011.at101.earthlink.net 27Sep2000 15:11:45 nbname 216.60.119.101 27Sep2000 15:42:09 nbname usimsptc5-98.usinternet.com 27Sep2000 18:50:40 nbname sense-bamm314-116.oz.net 27Sep2000 19:27:10 nbname 216.91.115.163 27Sep2000 19:51:09 nbname adsl-216-103-59-10.dsl.lsan03.pacbell.net 27Sep2000 20:08:10 nbname adsl-61-130-65.clt.bellsouth.net 27Sep2000 21:14:30 nbname ip-216-73-153-169.vantas.net 27Sep2000 22:56:17 nbname 216.79.52.208 28Sep2000 1:13:33 nbsession 216.80.184.155 28Sep2000 6:31:00 nbsession adsl-79-141-170.atl.bellsouth.net 28Sep2000 7:23:11 nbsession 216-80-13-65.d.enteract.com 28Sep2000 16:58:13 nbsession adsl-78-198-117.sdf.bellsouth.net 28Sep2000 20:15:04 nbsession 216.79.93.30 28Sep2000 22:19:05 nbsession nr13-216-68-204-168.fuse.net 29Sep2000 0:41:10 nbname 216.80.184.155 29Sep2000 1:07:48 nbsession 216.17.55.242 29Sep2000 1:26:28 nbname 192.186.0.1 29Sep2000 8:35:45 nbname user-vcaugre.dsl.mindspring.com 29Sep2000 8:35:45 nbname ndsl8.dnvr.uswest.net 29Sep2000 10:08:34 nbname adsl-78-201-55.tys.bellsouth.net 29Sep2000 13:09:47 nbsession 216.181.90.29 29Sep2000 15:09:05 nbname ggrant.dsl.speakeasy.net 29Sep2000 15:22:49 nbname 216.80.132.35 29Sep2000 15:32:13 nbname 164-118.misc.empoweringsolutions.com 29Sep2000 15:49:11 nbsession 216.60.72.84 29Sep2000 15:52:57 nbname bleau-3.inc.net 29Sep2000 15:57:43 nbname ip-216-73-142-166.vantas.net 29Sep2000 15:59:56 nbname np-216.203.188.150.dc.psn.net 29Sep2000 18:26:51 nbname wtci12.wtci.org 29Sep2000 18:35:16 nbname HSE-Toronto-ppp85832.sympatico.ca 29Sep2000 19:14:27 nbname dsl-101-243.srtnet.com 29Sep2000 20:41:39 nbname user-vcaugob.dsl.mindspring.com 29Sep2000 22:04:21 nbname unassigned-237.dev.powerize.com 29Sep2000 22:41:19 nbname 192.0.0.111 30Sep2000 3:31:59 nbname HSE-Montreal-ppp34879.qc.sympatico.ca 30Sep2000 3:31:59 nbname modem030.de-tc03a.delanet.com 30Sep2000 7:15:22 nbname 216.85.224.3 30Sep2000 8:11:37 nbname 216.91.115.168 30Sep2000 8:35:19 nbname node-d8e9d676.powerinter.net 30Sep2000 9:19:07 nbname