After our DSL went down, the neighbor hooked us up with a wireless connection to the Internet through his Linksys BEFSR41 router. The performance was awful, with dropped SSH connections, incomplete web pages and all sorts of other badness while his computer was on. Repeated Google searches for dropped sessions turned up stuff from years ago, but the consensus was that any router firmware problems had been solved years ago.

I went over to visit and noticed that the light for his port was constantly blinking. Since the Linksys is a switch, I had no way to easily test what was coming out of his machine with tcpdump. A systematic shutdown of the applications on his machine and tinkering with his firewall didn't seem to have any positive effect. I figured it was his computer trying to be a domain master or something and didn't worry about it.

On January 4, 2003 I finally had the chance to set up logging services on the router, and pointed the SNMP traffic to the Linksys logger application on my Windows 98 desktop. It was immediately swamped with traffic and locked up, so I installed snmptrapd on my Debian laptop and sent the traffic there. Immediately I was pegged with SNMP messages, and saw a huge combination of connections to various machines on ports 137 and 41170.

At first I just figued it was his Blubster application sharing out files, but a quick visit to the Blubster page showed that it only used 41170, and had nothing to do with a Windows file share port. The traffic to the 137 machines was pretty random, but when I trimmed the destination IP addresses from syslog and sorted them, there were over 143 distinct subnets that had been completely scanned. This was no random program, and it was making 3-4 connections per second.

I wrote him on January 5, 2003 and asked if he had recently run a virus scan, and he said that he had just run a scan after Norton Anti-Virus LiveUpdate for the latest profiles. He invited me over and I sat down at his workstation to figure out what could be going on. A couple dozen Google searches later, using various combinations of udp 137 and scanning worm, I found the Opaserv information page at F-Secure's web site, which detailed the exact symptoms of port 137 subnet scanning and share level password exploit we were seeing.

For some reason, the virus scan wasn't showing anything, so we downloaded the disinfection tool, found three copies of the virus that other scanners had missed, and all the outgoing traffic stopped. Problem solved.

No Comments | #2352

Unless noted, all content on epistolary.org is © Copyright 1999-2008 to Rob Carlson with all rights reserved. All information is verified when possible, cited as appropriate and applied in the real world at your own risk. Send all feedback to rob@vees.net.