[linux-security] Re: What is someone looking for??

[forcer <forcer mindless com>]

On Thu, Jul 09, 1998 at 05:44:30PM -0400, Ryan Matteson wrote:
>I am currently blocking out netbios UDP port 137 on my firewall and was
>wondering what the following means in terms of security:
>
>Jul  9 16:19:05 oscar kernel: IP fw-in rej eth0 UDP SOMEONES_IP:137
>MY_IP:137 L=78 S=0x00 I=46484 F=0x0000 T=111
>
>I have gottena  few 100 of these and was wondering if there are some
>vulnerabilties related to netbios out there?? What do the S/I/F/L fields
>stand for?? I assume T= TOS? Thanks for any info I would appreciate any
>info/URL's now. Is there a way to tell tcpdump to dump all netbios
>packets originating from outside my present class C to a file for future
>viewing?? Thanks again I apprecaite the help

137/udp is netbios-ns.
The someone is probably checking for the Netbios-name of your machine.
Yes, there are some vulnerabilities known.
Samba was until recently remotely exploitable to gain root access, and
there's still the possibility of public shares.
Hope i could help,
	-forcer

-- 
/* If you understand what you're doing, you're not learning anything.     */
/* email: forcer mindless com      -><- www: http://webserver.de/forcer/  */
/* IRC: forcer #StarWars (IRCnet)  -><- PGP/GPG: available on my website  */