Upsurge in port 137 scans

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Upsurge in port 137 scans

Message

From

30/09/2002 15:38:58

Victor Anderson
Technohippie Software & Consulting
Waikiki, Hawaii, United States

30/09/2002 15:16:54

Al Doman
M3 Enterprises Inc.
North Vancouver, British Columbia, Canada

General information

Forum:

Visual FoxPro

Category:

Other

Title:

Re: Upsurge in port 137 scans

Miscellaneous

Thread ID:

00705645

Message ID:

00706090

Views:

Yep. I still get a zillion hits a day trying to get into my SQL Server because of that stupid SQL-Worm gizmo that scans IP's searching for SQL Server databases that didn't get a password setup in them. http://www.eeye.com/html/Research/Tools/sqlworm.html and then the virus version explaination of it http://shop.osborne.com/osborne/virus_alert/voyager_alpha.shtml
I wonder how long it will be before the bandwidth on the net being used for scanning/hacking attempts will exceed that of the people actaully trying to do something productive.

>Let the good times roll...
>
>>It uses a text file of proxy servers and it's multi-threaded, so not only is the IP going to show it as coming from one of proxy servers, but it's also able to run like 150+ threads at a time (thus having 150+ anonymous proxy servers each scanning a range of target IP's at a time). Combine that with the ability to zombie and......well you get the idea.
>>
>>>Do you know if the tool spoofs source IPs? If not, there's either a lot of script kiddies playing with it, or a *lot* of compromised zombies...
>>>
>>>>Yeah we're all going to experience this problem for a while...there is a hacker tool that the author released to the public a few weeks ago that will scan a range of IP's trying to get in on port 137 (NetBios)...then to make matters worse someone else made something similar to worm in order to zombie some other machines to do the scranning for them.
>>>>
>>>>>My firewall has logged a large upsurge in port 137 scans over the last couple of days. This evening, every 1 to 5 minutes, from a large and unique set of source IPs, with most source ports 1025 to 1030. Is anyone else seeing this?
>>>>>
>>>>>If it's not just me, it looks like a lot of hosts have been compromised and may be suborned into a massive search for other vulnerable systems. Port 137 is used by Windows NetBIOS/SMB file service so if you're purposely or inadvertently exposing this service to the Internet you might want to be extra vigilant.
>>>>>
>>>>>If you're not firewalled, if you're running Win9x, or if you're not sure of your status take a look at the ShieldsUp! test at http://grc.com .

ICQ 10556 (ya), 254117

Map

View

Click here to load this message in the networking platform