Getting SLAMMED with TCP 137 probes....new nastyware out there? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Getting SLAMMED with TCP 137 probes....new nastyware out there?

  1. #11
    Originally posted here by slarty
    Are you sure they're not replies to packets your Windoze machine sends out?

    Does your windoze box send DNS requests originating from 137?

    Or is your box sending its own NETBIOS-NS requests and recieving responses from them?

    Do you have the contents of a few packets you could share with us?
    The slamming continues.....here's my incoming log:

    64.246.79.243 137
    218.64.91.173 137
    130.37.56.127 137
    209.202.101.214 137
    210.230.112.187 137
    63.136.112.231 137
    218.77.226.141 137
    61.0.208.5 137
    210.94.46.141 137
    203.229.163.4 137
    200.168.132.44 137
    200.170.244.101 137
    80.105.217.198 137
    200.82.170.213 137
    216.147.137.64 137
    211.191.41.226 137
    200.35.100.80 137
    62.175.156.207 137
    151.24.217.33 137
    64.170.52.138 137
    80.6.125.129 137
    206.28.189.39 137
    200.204.179.6 137
    200.228.81.73 137
    206.49.32.178 137
    64.173.8.229 137
    62.11.19.181 137
    193.194.184.71 137
    218.232.248.51 137
    212.145.131.33 137
    148.244.164.31 137
    61.130.126.76 137
    212.175.169.249 137
    212.253.186.194 137
    151.24.19.153 137
    81.112.48.123 137
    61.75.47.2 137
    213.176.191.138 137
    200.72.214.10 137
    200.151.152.200 137
    210.91.161.87 137
    62.83.123.215 137
    193.133.125.109 137
    64.32.122.138 137
    61.60.158.229 137
    217.53.4.187 137
    61.11.52.74 137
    193.225.172.158 137
    218.144.133.34 137
    61.77.191.45 137
    213.81.218.11 137
    61.140.50.8 137
    211.221.88.95 137
    61.82.102.72 137
    195.132.22.75 137
    61.229.90.231 137
    200.253.200.27 137
    203.232.233.88 137
    211.91.111.84 137
    219.93.229.118 137
    200.167.225.51 137
    200.253.188.66 137
    80.25.28.206 137
    213.46.28.70 137
    194.90.152.84 137
    217.58.55.145 137
    218.86.175.137 137
    62.174.164.167 137
    63.84.237.174 137
    213.22.235.160 137


    There are no requests for port 137 going out either.....must be a worm out there

  2. #12
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted here by Deranger187
    Personally, my firewall is set up to block certain ports, and 137 - 139 is one of them, I usually block TCP and UDP if posible. You might wanna do same, that way you wont have to worry about it. If my memory serves me right 139 is like a finger...info look up. All you IRC people might know what finger cmd is.

    Actually, just to clarify, ports 137-139 are used for NetBIOS, not Finger....
    - Maverick

  3. #13
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ratman...look at the web site I mentioned...You will see that over 50% of the scans in North America are currently on port 137...and they have largely been attributed to bugbear. Would be a very good thing to block udp 137, udp 138, tcp 139 (netbios), and udp/tcp 445 (win2k netbios) at your router/firewall. Those protocols are so inherently insecure that you shouldn't be allowing the outside world to connect in to them...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #14
    Senior Member
    Join Date
    Apr 2002
    Posts
    366
    Thanks for all the suggestions here, I looked at my logs as soon as I read Ratman's post and found that I am being bombarded on port 137 too. I noticed it yesterday but didn't have time to do anything with it.

  5. #15
    Junior Member
    Join Date
    Sep 2002
    Posts
    14
    Also people probe those ports. If open they can gather your account name's/ simple passwords and shares on your pc remotely. There is many tools that do it. You can use a program via DOS called NBTdump to check if your system spits out any information.

    Usually if your running a firewall nothing will be sent by (based on my experience, have you.)

  6. #16
    Junior Member
    Join Date
    Oct 2002
    Posts
    1

    Question about Port Attacks

    This is a stupid question but I was reading where some of the members are having 137 port attacks/scans... So I checked my firewall (Zone Alarm).... In a matter of about 3 hours I have had 4000 attempted attacks.... I am trying to understand ports and what all the acronyms mean that go along with computer speech.... What does Source DNS mean? And how do I block mt NetBios ports and anyother port for that matter... I have checked around and even asked some people who "say" they know about computers but so far no luck.....
    Thanks,

  7. #17
    Senior Member
    Join Date
    Jun 2002
    Posts
    405
    Dreamer:

    Source DNS in ZoneAlarm is just the name of the computer which attempted to connect to your computer on that port (can be resolved to and from IP addresses). To block your netbios ports and any other ports, get a firewall like Tiny or Kerio. All you have to do then is create a rule that doesn't let any connections in on ports 137-139 for netbios blocking. And you can block any other ports you like as well. The best thing about these firewalls is you have far more control over what goes on. ZoneAlarm is probably blocking your netbios ports anyway, but Tiny/Kerio are great for learning more about ports etc.

    good luck

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides