router log - I am under attack ??

router log - I am under attack ??

Post by tudo » Sun, 08 Jun 2003 20:38:04



Hello!

I've been reading my router's log, and I found something that could be
"*", let's say... Among other things, the router complains about some
(quite many I'd say) unrecognized accesses at port UDP 137. Doesen't that
mean that they (whoever they are) are trying to get to my shares?
The log says something like:

-------------------------------------------
Sat 07 Jun 2003 10:02:21 AM CEST Unrecognized access from 218.63.155.24:1026
to UDP port 137
Sat 07 Jun 2003 10:13:25 AM CEST Unrecognized access from 156.34.18.51:65290
to UDP port 137
Sat 07 Jun 2003 10:15:06 AM CEST Unrecognized access from 61.65.79.156:1029
to UDP port 137
Sat 07 Jun 2003 10:22:19 AM CEST Unrecognized access from
210.17.129.239:19805 to UDP port 137
Sat 07 Jun 2003 10:28:35 AM CEST Unrecognized access from
80.39.155.195:22593 to UDP port 137
Sat 07 Jun 2003 10:29:28 AM CEST Unrecognized access from
202.142.87.142:1028 to UDP port 137
Sat 07 Jun 2003 10:38:08 AM CEST Unrecognized access from
202.164.175.162:1064 to UDP port 137
 213.17.233.70:41701 to UDP port 137
Sat 07 Jun 2003 10:46:39 AM CEST Unrecognized access from
218.88.134.40:21131 to UDP port 137
Sat 07 Jun 2003 10:59:46 AM CEST Unrecognized access from
202.99.225.46:41290 to UDP port 137
Sat 07 Jun 2003 11:00:58 AM CEST Unrecognized access from
217.197.168.6:64555 to UDP port 137
Sat 07 Jun 2003 11:03:37 AM CEST Unrecognized access from 80.255.43.194:1028
to UDP port 137
Sat 07 Jun 2003 11:07:32 AM CEST Unrecognized access from
218.169.52.34:64441 to TCP port 445
Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from 61.188.89.134:1026
to UDP port 137
Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from
212.119.66.132:1024 to UDP port 137
---------------------------------------------

Behind the router there are 4 comp: linux, win98, winxp, mac OS9, all
sharing music and stuff among eachother.
Should I be warried about these logs?? I guess there are houndreds of them
in one day... I AM UNDER SIEGE ??

Thanx in advance. Appreciate some advice, maybe on how to secure things up a
little bit.

 
 
 

router log - I am under attack ??

Post by Martin Coope » Sun, 08 Jun 2003 21:39:28


Hi,
    doesn't sound like your under attack, it sounds like the normal
netbios traffic.  To stop this, you need to install a firewall either in
software on each machine, or somehow between the router and your
network.

You need to somehow block ports 137-139 and port 445 from incoming
connections.  Depending on the router you are using, maybe you can block
the ports there ?  

--

   Martin

 
 
 

router log - I am under attack ??

Post by tudo » Sun, 08 Jun 2003 21:54:10



> *You* are not under seige.... *we* all are, I get regular 137 udp scans
> (netbios ssn ?). These are probably coming from infected windoze boxes
> out there.

> Does your 'router' allow the traffic through ?

No, it doesen't. At least *I think* it doesen't. How can I be sure?
 
 
 

router log - I am under attack ??

Post by Johann Koeni » Sun, 08 Jun 2003 21:58:43


On Saturday June 07, 2003 at 11:38


> Hello!

> I've been reading my router's log, and I found something that could be
> "*", let's say... Among other things, the router complains about
> some(quite many I'd say) unrecognized accesses at port UDP 137.
> Doesen't that

http://www.veryComputer.com/
Says its NETBIOS Name Service
If I understand NETBIOS correctly, and its quite possible that I dont,
it is a very 'chatty' protocol. I suppose if a windows computer running
with a direct connection to the internet might try to automaticaly
discover all the other computers with shares. I could be very wrong
though. Google is smarter than me.

--
-johann koenig
now playing:*sparrer - Trouble on the Terraces
Today is Pungenday, the 12nd day of Confusion in the YOLD 3169
http://www.veryComputer.com/

 
 
 

router log - I am under attack ??

Post by Dave Mille » Sun, 08 Jun 2003 22:23:26



> Hello!

> I've been reading my router's log, and I found something that could be
> "*", let's say... Among other things, the router complains about
> some (quite many I'd say) unrecognized accesses at port UDP 137.
> Doesen't that mean that they (whoever they are) are trying to get to my
> shares? The log says something like:

> ------------------------------------------- Sat 07 Jun 2003 10:02:21 AM
> CEST Unrecognized access from 218.63.155.24:1026 to UDP port 137

<snip>

Standard internet traffic I'm afraid. There's nothing you can do except
block them at your firewall/router. If they are being blocked, forget them
and get on with your life :)

If you haven't been blocking them and you have any shares open(windows, or
samba on linux), you should definitely run an up to date trojan/virus
checker on the windows machines and an up to date chkrootkit on the linux
box. Don't know much about MacOS9, but if you are running 'dave' or
similar on it to share drives, you should probably check that as well.

Regards,
Dave

 
 
 

router log - I am under attack ??

Post by Georg Armbruste » Mon, 09 Jun 2003 00:37:06



> [router logs % netbios port]

Don't worry at all.
These are simple connections attempts to netbios shares.

Your router will block these for you, unless you told
it to forward these packets to another
machine... (which is, as far as netbios is concerned,
basically not a very good idea)

Hope this helps...
Georg

 
 
 

router log - I am under attack ??

Post by Davi » Mon, 09 Jun 2003 03:05:08



> I've been reading my router's log, and I found something that
> could be "*", let's say... Among other things, the router
> complains about some (quite many I'd say) unrecognized
> accesses at port UDP 137. Doesen't that mean that they
> (whoever they are) are trying to get to my shares? The log
> says something like:
> ------------------------------------------- Sat 07 Jun 2003
> 10:02:21 AM CEST Unrecognized access from 218.63.155.24:1026
> to UDP port 137
--snip--
> Behind the router there are 4 comp: linux, win98, winxp, mac
> OS9, all sharing music and stuff among eachother. Should I be
> warried about these logs?? I guess there are houndreds of them
>  in one day... I AM UNDER SIEGE ??

> Thanx in advance. Appreciate some advice, maybe on how to
> secure things up a little bit.

Do you have a reason to allow connections on ports 137, 138, 139
from the internet? If you don't then DROP all connections to
those ports from the internet and only allow connections from the
local network.

--
Confucius:  He who play in root, eventually kill tree.
Registered with The Linux Counter.  http://www.veryComputer.com/
Slackware 9.0 Kernel 2.4.20 i686 (GCC) 3.3
Uptime: 19 days, 10:05, 1 user, load average: 1.14, 1.11, 1.12

 
 
 

router log - I am under attack ??

Post by jack » Mon, 09 Jun 2003 04:11:27



> Sat 07 Jun 2003 10:02:21 AM CEST Unrecognized access from 218.63.155.24:1026
> to UDP port 137
> Behind the router there are 4 comp: linux, win98, winxp, mac OS9, all
> sharing music and stuff among eachother.
> Should I be warried about these logs?? I guess there are houndreds of them
> in one day... I AM UNDER SIEGE ??

OK, You already identified that UDP port 137 has to do with win-like p2p
file sharing and things (hence, samba will listen on 137/UDP, too).

You don't specify what Your "router" lokks like: If it is a linux box
with iptables on it, which I assume from Your log entries, then You
obviously have some firewall script employed that logs unauthorized
packets. In this case, You needn't worry. These logs tell You that those
packets are recognized and treated accordingly, i. e. logged and
dropped.

If this is not the case, which I doubt, then You should see whether You
have samba running on that "router" and listenning on Your outside IP.
(IMHO, You'd get log entries different from Yours if that was so.)
Then, You should verify that 137/UDP is not being forwarded to any of
Your inside boxes, which would then be the target of the attack.

Bottom line: At this point, You should not need to worry; You should
clarify the situation, though; that means to check which of the above
describes Your setup.

Quote:> Thanx in advance. Appreciate some advice, maybe on how to secure things up a
> little bit.

Requests to 137/UDP are - unfortunally - quite common. Don't worry.

Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

 
 
 

router log - I am under attack ??

Post by Dave Mille » Mon, 09 Jun 2003 04:16:05



> Hello!

> I've been reading my router's log, and I found something that could be
> "*", let's say... Among other things, the router complains about
> some (quite many I'd say) unrecognized accesses at port UDP 137.
> Doesen't that mean that they (whoever they are) are trying to get to my
> shares? The log says something like:

> ------------------------------------------- Sat 07 Jun 2003 10:02:21 AM
> CEST Unrecognized access from 218.63.155.24:1026 to UDP port 137

<snip>

Standard internet traffic I'm afraid. There's nothing you can do except
block them at your firewall/router. If they are being blocked, forget them
and get on with your life :)

If you haven't been blocking them and you have any shares open(windows, or
samba on linux), you should definitely run an up to date trojan/virus
checker on the windows machines and an up to date chkrootkit on the linux
box. Don't know much about MacOS9, but if you are running 'dave' or
similar on it to share drives, you should probably check that as well.

Regards,
Dave

 
 
 

router log - I am under attack ??

Post by vmlinu » Mon, 09 Jun 2003 08:26:55



> Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from
> 212.119.66.132:1024 to UDP port 137
> ---------------------------------------------

ports 137,138,139 are for netbios(windows) name,datagramm and session services

Quote:> Behind the router there are 4 comp: linux, win98, winxp, mac OS9, all
> sharing music and stuff among eachother.

if you share your dir's, or even partitions...

Quote:> Should I be warried about these logs?? I guess there are houndreds of them
> in one day... I AM UNDER SIEGE ??

...and you have your router badly configured, you have to be warried for
sure. because anybody can get your stuff as you give them free for all!

Quote:> Thanx in advance. Appreciate some advice, maybe on how to secure things up a
> little bit.

close ports 137-139 from you public (internet) side
 
 
 

router log - I am under attack ??

Post by tudo » Mon, 09 Jun 2003 07:06:37



> Standard internet traffic I'm afraid. There's nothing you can do except
> block them at your firewall/router. If they are being blocked, forget them
> and get on with your life :)

> If you haven't been blocking them and you have any shares open(windows, or
> samba on linux), you should definitely run an up to date trojan/virus
> checker on the windows machines and an up to date chkrootkit on the linux
> box. Don't know much about MacOS9, but if you are running 'dave' or
> similar on it to share drives, you should probably check that as well.

> Regards,
> Dave

Yes, they are being blocked by the router. It was the great number of
attempts that made me have second thoughts about this.

Just a few months have passed since I first got my hands on a linux box, so
let me grab that advice of yours, a chkrootkit you say? I heard about this
kind of tool, never got to try it. Could you point me to the right
direction? Where can I find it(though I don't think that would be a
problem), and most important, do you know any that are worth trying?

Thanx for your time.

 
 
 

router log - I am under attack ??

Post by Allen Kistle » Mon, 09 Jun 2003 08:23:01



> Hello!

> I've been reading my router's log, and I found something that could be
> "*", let's say... Among other things, the router complains about some
> (quite many I'd say) unrecognized accesses at port UDP 137. Doesen't that
> mean that they (whoever they are) are trying to get to my shares?
> The log says something like:

> [snip]

> Behind the router there are 4 comp: linux, win98, winxp, mac OS9, all
> sharing music and stuff among eachother.
> Should I be warried about these logs?? I guess there are houndreds of them
> in one day... I AM UNDER SIEGE ??

> Thanx in advance. Appreciate some advice, maybe on how to secure things up a
> little bit.

Requests to UDP 137 on a Windows box returns NetBIOS names, which
roughly corresponds to the services you're running over NetBIOS.  The
request to TCP 445 is an attempt to connect to a Win2k/WinXP drive share
(CIFS).

If your router neither responds to these attempts nor passes them on to
your internal machines, you have very little to worry about.  Most folks
DROP requests to UDP 137 and don't bother logging them, because if you
log them, they'll swamp anything you really want to be able to see in
your log file.

 
 
 

router log - I am under attack ??

Post by Zamies1 » Wed, 11 Jun 2003 05:07:09



Quote:> Hi,
>     doesn't sound like your under attack, it sounds like the normal
> netbios traffic.  To stop this, you need to install a firewall either in
> software on each machine, or somehow between the router and your
> network.

> You need to somehow block ports 137-139 and port 445 from incoming
> connections.  Depending on the router you are using, maybe you can block
> the ports there ?

> --

>    Martin

I agree there is a lot of netbios traffic, and your firewall just logs it.
block incoming traffic, and outgoing traffic...

Zamies

 
 
 

router log - I am under attack ??

Post by Buch » Wed, 11 Jun 2003 08:36:29


What you are seeing is probably normal and harmless
windows Netbios chatter from windows machines on
your same subnet. Very little to worry about.

Windows machines use UDP port 137 to track network shares,
workgroups, netbios master browsers, etc...it would probably be
better for you to just drop it rather than log it, if possible in your
firewall.

- GR


Quote:> Hello!

> I've been reading my router's log, and I found something that could be
> "*", let's say... Among other things, the router complains about some
> (quite many I'd say) unrecognized accesses at port UDP 137. Doesen't that
> mean that they (whoever they are) are trying to get to my shares?
> The log says something like:

> -------------------------------------------
> Sat 07 Jun 2003 10:02:21 AM CEST Unrecognized access from
218.63.155.24:1026
> to UDP port 137
> Sat 07 Jun 2003 10:13:25 AM CEST Unrecognized access from
156.34.18.51:65290
> to UDP port 137
> Sat 07 Jun 2003 10:15:06 AM CEST Unrecognized access from
61.65.79.156:1029
> to UDP port 137
> Sat 07 Jun 2003 10:22:19 AM CEST Unrecognized access from
> 210.17.129.239:19805 to UDP port 137
> Sat 07 Jun 2003 10:28:35 AM CEST Unrecognized access from
> 80.39.155.195:22593 to UDP port 137
> Sat 07 Jun 2003 10:29:28 AM CEST Unrecognized access from
> 202.142.87.142:1028 to UDP port 137
> Sat 07 Jun 2003 10:38:08 AM CEST Unrecognized access from
> 202.164.175.162:1064 to UDP port 137
>  213.17.233.70:41701 to UDP port 137
> Sat 07 Jun 2003 10:46:39 AM CEST Unrecognized access from
> 218.88.134.40:21131 to UDP port 137
> Sat 07 Jun 2003 10:59:46 AM CEST Unrecognized access from
> 202.99.225.46:41290 to UDP port 137
> Sat 07 Jun 2003 11:00:58 AM CEST Unrecognized access from
> 217.197.168.6:64555 to UDP port 137
> Sat 07 Jun 2003 11:03:37 AM CEST Unrecognized access from
80.255.43.194:1028
> to UDP port 137
> Sat 07 Jun 2003 11:07:32 AM CEST Unrecognized access from
> 218.169.52.34:64441 to TCP port 445
> Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from
61.188.89.134:1026
> to UDP port 137
> Sat 07 Jun 2003 11:08:01 AM CEST Unrecognized access from
> 212.119.66.132:1024 to UDP port 137
> ---------------------------------------------

> Behind the router there are 4 comp: linux, win98, winxp, mac OS9, all
> sharing music and stuff among eachother.
> Should I be warried about these logs?? I guess there are houndreds of them
> in one day... I AM UNDER SIEGE ??

> Thanx in advance. Appreciate some advice, maybe on how to secure things up
a
> little bit.

 
 
 

1. Urgent: Am I attacked, all logs are empty

I am running Red Hat 6.0.

I just find out most of the log files in /var/log are empty since 3
days ago, these files are boot.log, messages, netconf.log,secure,
xferlog.

I also find there are two mysterious files in /root, which are named
as 1, la.pid. If I remove these two files, they will be recreated by
some process 3 minutes later.

Has anyone seen this before?

Thanks

Bing

2. How to find out about router gateway address??

3. Am I attacked by hackers?

4. REGEX with consecutive [0-9]'s

5. help, analyzing traffic, am I being attacked or what?

6. Apache & Virtual Domains

7. CAUTION: I am under attack from an incompetent hacker probably in germany

8. HP Netserver LC 2000r

9. Am I attacked by hacker?

10. Am I under netbios and httpsd (on Linux) attack?

11. Ascend routers and TCP SYN / Sequence # attack

12. Confusing routers attack report

13. unusual access log - security attack?