I suspect this has nothing at all to do with nimda, and has all to do with someone trying to tunnel IPX through yer firewall, unless there is a new nimda variant and there has been no news of that. What seems to place the icing on the cake, is the netware client on the machines in question. That and the fact that 524 is NOT a standard known TCP/IP port.
Thanks, Ron DuFresne On Tue, 2 Oct 2001, Michael Janke wrote: > I was thinking that it was a worm also, but which one? > > We did some hunting yesterday & found that some of the PC's that were scanning > had both Nimda & a Netware client. We know that when Nimda hits a desktop via > e-mail or browser, it scans for open shares. Our hypothses is that the scanning > code uses a generic windows system call that the Netware client intercepts & > sends out via Netware NCP port 524 and the MS client sends out via Netbios UDP > 137. My windows API knowledge is about 10 years old, so I can't be sure how > these systems calls work, but it does make for a nice, neat explanation. > > Unfortunately most of our employees are on strike this week. That makes it tough > to get someone out to a desktop. > > It's time to start null routing.:-) > > --Mike > > bob bobing wrote: > > Well the scanning of local class A network, plus the > > fact that the src seems to be pc's (is this a fact?), > > and the number keeps increasing (assuming more > > sources), and its close to the time nimda started. > > Also i thought nimda also did netbios scans, or does > > it just open shares all over the place. > > > > Can't really explain 524... > > > > just a thought. > > > > --- Ron DuFresne <[EMAIL PROTECTED]> wrote: > > > >>What makes you think nimda here? Are there any > >>reports of nimda using > >>other then e-mail and the web to pollinate? > >> > >>Thanks, > >> > >>Ron DuFresne > >> > >>On Mon, 1 Oct 2001, bob bobing wrote: > >> > >> > >>>could be the numda virus, have you scaned the > >>> > >>machines > >> > >>>in question. > >>>--- Michael Janke <[EMAIL PROTECTED]> wrote: > >>> > >>>>We've been seeing and increasing number of > >>>> > >>probes on > >> > >>>>port 524 > >>>>starting about a week ago. > >>>> > >>>>The probes appear to be coming from ordinary > >>>> > >>PC's, > >> > >>>>both internal and > >>>>external to our network. The probes follow a > >>>> > >>regular > >> > >>>>pattern of 3 > >>>>probes followed by DNS and Netbios lookups. The > >>>>probes appear to > >>>>scan their own class 'A' and 'B' more often than > >>>>other networks, > >>>>but will jump randomly a percentage of the time. > >>>> > >>The > >> > >>>>time between > >>>>packets and the packet lengths are very > >>>> > >>consistent > >> > >>>>across many > >>>>scans. > >>>> > >>>>Port 524 is normally used for Netware 5.x file > >>>>services, but has > >>>>also been associated with an old Linux > >>>>vulnerability. > >>>> > >>>>I've isolated a single scan using Netflow data. > >>>> > >>>>Time SrcIPaddre SrcP DstIPaddress > >>>> > >>DstP Pr > >> > >>>>Pkts Octets > >>>> > >>>>09:24:18 A1.29.208.155 1088 A1.29.237.94 524 > >>>> > >>>>TCP 3 144 > >>>>09:24:28 A1.29.208.155 1089 A1.29.237.94 524 > >>>> > >>>>TCP 3 144 > >>>>09:24:39 A1.29.208.155 1090 A1.29.237.94 524 > >>>> > >>>>TCP 3 144 > >>>>09:24:52 A1.29.208.155 137 <nameserver1> 53 > >>>> > >>>>UDP 6 360 > >>>>09:24:57 A1.29.208.155 137 <nameserver2> 53 > >>>> > >>>>UDP 6 360 > >>>>09:25:01 A1.29.208.155 137 A1.29.237.94 137 > >>>> > >>>>UDP 3 234 > >>>> > >>>>09:25:12 A1.29.208.155 1093 A1.201.92.88 524 > >>>> > >>>>TCP 3 144 > >>>>09:25:22 A1.29.208.155 1094 A1.201.92.88 524 > >>>> > >>>>TCP 3 144 > >>>>09:25:33 A1.29.208.155 1095 A1.201.92.88 524 > >>>> > >>>>TCP 3 144 > >>>>09:25:46 A1.29.208.155 137 <nameserver1> 53 > >>>> > >>>>UDP 6 360 > >>>>09:25:51 A1.29.208.155 137 <nameserver2> 53 > >>>> > >>>>UDP 6 360 > >>>>09:25:55 A1.29.208.155 137 A1.201.92.88 137 > >>>> > >>>>UDP 3 234 > >>>> > >>>>09:26:06 A1.29.208.155 1098 A1.29.241.245 524 > >>>> > >>>>TCP 3 144 > >>>>09:26:16 A1.29.208.155 1099 A1.29.241.245 524 > >>>> > >>>>TCP 3 144 > >>>>09:26:27 A1.29.208.155 1100 A1.29.241.245 524 > >>>> > >>>>TCP 3 144 > >>>>09:26:40 A1.29.208.155 137 <nameserver1> 53 > >>>> > >>>>UDP 6 366 > >>>>09:26:45 A1.29.208.155 137 <nameserver2> 53 > >>>> > >>>>UDP 6 366 > >>>>09:26:49 A1.29.208.155 137 A1.29.241.245 137 > >>>> > >>>>UDP 3 234 > >>>> > >>>>09:27:00 A1.29.208.155 1103 A2.242.13.97 524 > >>>> > >>TCP > >> > >>>> 3 144 > >>>>09:27:10 A1.29.208.155 1104 A2.242.13.97 524 > >>>> > >>TCP > >> > >>>> 3 144 > >>>>09:27:21 A1.29.208.155 1105 A2.242.13.97 524 > >>>> > >>TCP > >> > >>>> 3 144 > >>>> > >>>>This is a new pattern to us. Has anybody seen > >>>>anthing like it? > >>>> > >>>>--Mike > >>>> > >>>>----------------------------------------- > >>>>Michael Janke > >>>>Director, Network Services > >>>>Minnesota State Colleges and Universities > >>>>----------------------------------------- > >>>> > >>>>_______________________________________________ > >>>>Firewalls mailing list > >>>>[EMAIL PROTECTED] > >>>>http://lists.gnac.net/mailman/listinfo/firewalls > >>>> > >>> > >>>__________________________________________________ > >>>Do You Yahoo!? > >>>Listen to your Yahoo! Mail messages from any > >>> > >>phone. > >> > >>>http://phone.yahoo.com > >>>_______________________________________________ > >>>Firewalls mailing list > >>>[EMAIL PROTECTED] > >>>http://lists.gnac.net/mailman/listinfo/firewalls > >>> > >>> > >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >>"Cutting the space budget really restores my faith > >>in humanity. It > >>eliminates dreams, goals, and ideals and lets us get > >>straight to the > >>business of hate, debauchery, and > >>self-annihilation." -- Johnny Hart > >> ***testing, only testing, and damn good at it > >>too!*** > >> > >>OK, so you're a Ph.D. Just don't touch anything. > >> > >> > > > > > > __________________________________________________ > > Do You Yahoo!? > > Listen to your Yahoo! Mail messages from any phone. > > http://phone.yahoo.com > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > -- > ----------------------------------------- > Michael Janke > Minnesota State Colleges and Universities > Saint Paul MN 55108 > > --------From real Server 7.0 startup------ > Starting RealServer 7.0 Core... > Loading RealServer License Files... > Detecting Number of CPUs... > Testing 1 CPU(s): 1 CPU Detected, Phew... > > ----------------------------------------- > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
