We've seen a lot! of this, thousands of matches per hour when we put in an acl. We were under Ddos some time ago and all the requests were on port 137. A simple filter on netbios-ns on my upstream fixed it but its uggly. ----- Original Message ----- From: "Joe" <joej@rocknyou.com> To: <nanog@merit.edu> Sent: Saturday, October 26, 2002 5:24 PM Subject: Odd behavior
Anyone noticing an increase in the amount of port 137 scans? I've seen just just over 100 in the last 1 hour. When I probe the offender I see them as MS items with their Harddrives shared wide open. Only thing in common is they all appear to have some file called put.ini
in
their root directory with a line that looks to be from a win.ini and states brasil.pif or exe. Maybe some new virus? Well heads up.
Cheers -Joe