That's someone searching for open shares. 137 is netbios and 1025 is network blackjack. These two in combination usually indicate an open share that probably allow null IPC$ connections.
----- Original Message ----- From: "Kent James" <[EMAIL PROTECTED]> To: "Security-Basics" <[EMAIL PROTECTED]> Sent: Tuesday, April 23, 2002 10:21 PM Subject: UDP 137 then 1025 and 1026 > I get many, many connection attempts (several per hour) to my small server > where a connection is attempted on port 137/UDP, followed 10-20 seconds > later by one or more attempts to connect on 1025/UDP and 1026/UDP These > come from locations all over the world, and are coming at all times of the > day, including when our office is empty in the middle of the night. Our > server only provides internal NAT-based internet sharing, we are not hosting > a web site or any other inernet services. A typical sequence (from a Tiny > Software Personal Firewall log) is: > > In UDP, 67.192.193.215:1071->localhost:137 > In UDP, 67.192.193.215:137->localhost:1026 > In UDP, 67.192.193.215:137->localhost:1025 > In UDP, 67.192.193.215:137->localhost:1026 > In UDP, 67.192.193.215:137->localhost:1025 > In UDP, 67.192.193.215:137->localhost:1026 > > I am trying to compile a report on the level of potentially hostile probing > that is being done to our internet connection. Is this legitimate traffic? > What exactly is it, and what software is producing it? I realize it is > NetBIOS related. > > +----------------+ > Kent James > [EMAIL PROTECTED] > +----------------+ >
