Does anyone know what this log entry indicates? What service running on a WinNT server would send out a UDP packet with source port 137 and destination port 1? (I was unable to get any clarity from Google...) --------- May 27 11:01:47 ykrgw kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth1 SRC=192.168.3.3 DST=166.84.151.198 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=37008 PROTO=UDP SPT=137 DPT=1 LEN=64 ---------- Thanks in advance. Jim Werkowski jwerkowski@attglobal.net
Hi Jim, Port 137/udp is definitely NETBIOS Name Service. But a destination port of 1 is interesting. If it happens regularly I would try to catch it by etherreal and see what''s inside. HTH, Alex On Friday 27 May 2005 17:53, James Werkowski wrote:> Does anyone know what this log entry indicates? What service running on a > WinNT server would send out a UDP packet with source port 137 and > destination port 1? (I was unable to get any clarity from Google...) > --------- > May 27 11:01:47 ykrgw kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth1 > SRC=192.168.3.3 DST=166.84.151.198 LEN=84 TOS=0x00 PREC=0x00 TTL=127 > ID=37008 PROTO=UDP SPT=137 DPT=1 LEN=64 > ---------- > > Thanks in advance. > > > Jim Werkowski > jwerkowski@attglobal.net > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Does anyone know what this log entry indicates? What service running on a WinNT server would send out a UDP packet with source port 137 and destination port 1? (I was unable to get any clarity from Google...) --------- May 27 11:01:47 ykrgw kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth1 SRC=192.168.3.3 DST=166.84.151.198 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=37008 PROTO=UDP SPT=137 DPT=1 LEN=64 ---------- Thanks in advance. Jim Werkowski jwerkowski@attglobal.net ==================================== Google is your friend...this is probably Sockets des Troie the old Trojan for ICQ
2005/5/27, James Werkowski <jwerkowski@attglobal.net>:> Does anyone know what this log entry indicates? What service running on a > WinNT server would send out a UDP packet with source port 137 and > destination port 1? (I was unable to get any clarity from Google...) > --------- > May 27 11:01:47 ykrgw kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth1 > SRC=192.168.3.3 DST=166.84.151.198 LEN=84 TOS=0x00 PREC=0x00 TTL=127 > ID=37008 PROTO=UDP SPT=137 DPT=1 LEN=64 > ----------137 is NetBIOS traffic. the "app" using DPT=1 seems to be a trojan horse.