Possible VERY Serious problem

Renton · 07-12-2001 5:18pm #1

Last night I installed a firewall in work, and since then i've done alot of boards.ie browsing.

I looked at the logs on the firewall, and it shows numberous mentions of the IP 216.247.239.48 (news.boards.ie) making Netbios requests to our IP...

Time     Chain Iface Prot Source          Source port      Destination   Dest Port
11:07:55 input ippp0 UDP  216.247.239.48  137(NETBIOS-NS)  our.ip.x.x    137(NETBIOS-NS) 
11:07:56 input ippp0 UDP  216.247.239.48  137(NETBIOS-NS)  our.ip.x.x    137(NETBIOS-NS)

Not sure if its a big worry, but isnt that what Nimda does? gets its greasies into IIS and tries to spread via netbios ?

Anyhoo, It might just be me going 'ohhh mi figz' or it could be something dodgy, so I thought i'd post here, and leave it to the smartymen.

Also, the fact that devore reported that boards.ie is pumping out 8 Megs a sec, would also indicate a Nimda infection.

Any thoughts ?

yellum · 07-12-2001 5:42pm

Did it make requests on port 80 ? Its an IIS machine according to netcraft.com so it should be sending you readme.exe if you visit the site and it should also be requesting files on your ip on port 80.

Nimda uses email, shares, and websites to spread, nasty lil bugger. I would think that the admins of the site would have been protected from Nimda.

DeVore · 07-12-2001 5:45pm

We are protected from Nimda by regular patching, but that is weird... My firewall (ZoneAlarm) doesnt have a problem with it.

I'll ask Regi to look into it.

DeV.

Renton · 07-12-2001 5:50pm

What about the IIS Lockdown tool ...

It might help ?

http://www.microsoft.com/downloads/release.asp?ReleaseID=33961&area=search&ordinal=2

IIS Lockdown Tool (version 2.1)

IIS Lockdown Wizard version 2.1 works by turning off unnecessary features, thus reducing attack surface available to attackers. To provide multiple layers of protection against attackers, URLscan, with customized templates for each supported server role, is integrated into the IIS Lockdown Wizard.
To keep the server completely secure, however, all hotfixes are required before and after applying IIS Lockdown Wizard to stay protected against known security vulnerabilities.

Im sure if theres a problem

regi will sort it out

Renton · 07-12-2001 5:53pm

Also, bear in mind that theres two different strands of nimda on the loose

Nimda.A and Nimda.E,

Nimda.E seems to be more on the rapage these days...

DeVore · 09-12-2001 6:02pm

we're going to look in Spin Solutions logs and see if we notice anything there too.

Hmmmmm, stay tuned.

DeV.

Hobbes · 11-12-2001 11:17am

Port 137 is the netbios name service.

It is normal to see a large number of incoming packets to 137 (on the firewall). This is due to windows servers that use Netbios (WINS) to resolve IP address to names.

It's normal. Unless boards.ie is running on a linux box?

Renton · 11-12-2001 11:46am

I think its because the routers, wherever boards.ie is hosted, arent blocking 137-139 for whatever reason...

Not sure why that is, as most routers usually drop any packets on those ports, anyway seeing as boards.ie is being moved, its probably only a temporary problem.

Hobbes · 11-12-2001 12:04pm

Not blocking prehaps so they can get your machine name?

I'm not aware of any exploit on port 137, although 138/139 you should have blocked locally regardless (unless you need it?). Also disable Netbios over TCP/IP on your machine.

Your saying boards.ie has file and print sharing enabled?

Possible *VERY* Serious problem

Comments

Possible VERY Serious problem