David Jones
December 5th 03, 07:41 PM
>-----Original Message-----
>A little off topic. Is teems someone is uailising the
RAW sockets
>facility.
Doubtful, and even if they were, it's not that big a
problem.
>My router is frequently logging the following:
> 25/04/2003 23:17:37.898 - 81.97.98.114 : 1026 >>>
81.97.98.144 : 137
>
>In a nut shell, someone on the Internet is spoofing the
source
>address, but that address is the same as the destination.
Nope. Look carefully. .98.114 is sending to .98.144
(that's FOURFOUR).
Port 137 has to do with resolving NetBIOS names.
Essentially, the .114 machine is trying to resolve a
NetBIOS name by sending a packet to the .144 machine.
Without knowing what the .114 box is and what is running
on it, I couldn't tell you what exactly, and it may or
may not be malicious.
>
>As it's hitting a router that's not forwarding any
ports, I'm not
>conserned, but if Windows XP was to accept such a
packet, what would
>happen? Would the OS's IP protocol stack get locked in
an endless
>loop?
No, it's actually quite common in certain situations for
a machine to open a TCP session with itself. The OS can
handle it fine.
>
>This is very recent. As in this type of probe started
yesterday.
If that .114 IP isn't on your LAN, then whomever has that
IP probably got themselves infected with the OpaServ worm
or something of that nature.
>A little off topic. Is teems someone is uailising the
RAW sockets
>facility.
Doubtful, and even if they were, it's not that big a
problem.
>My router is frequently logging the following:
> 25/04/2003 23:17:37.898 - 81.97.98.114 : 1026 >>>
81.97.98.144 : 137
>
>In a nut shell, someone on the Internet is spoofing the
source
>address, but that address is the same as the destination.
Nope. Look carefully. .98.114 is sending to .98.144
(that's FOURFOUR).
Port 137 has to do with resolving NetBIOS names.
Essentially, the .114 machine is trying to resolve a
NetBIOS name by sending a packet to the .144 machine.
Without knowing what the .114 box is and what is running
on it, I couldn't tell you what exactly, and it may or
may not be malicious.
>
>As it's hitting a router that's not forwarding any
ports, I'm not
>conserned, but if Windows XP was to accept such a
packet, what would
>happen? Would the OS's IP protocol stack get locked in
an endless
>loop?
No, it's actually quite common in certain situations for
a machine to open a TCP session with itself. The OS can
handle it fine.
>
>This is very recent. As in this type of probe started
yesterday.
If that .114 IP isn't on your LAN, then whomever has that
IP probably got themselves infected with the OpaServ worm
or something of that nature.