-
November 6th, 2002, 04:30 PM
#11
Originally posted here by slarty
Are you sure they're not replies to packets your Windoze machine sends out?
Does your windoze box send DNS requests originating from 137?
Or is your box sending its own NETBIOS-NS requests and recieving responses from them?
Do you have the contents of a few packets you could share with us?
The slamming continues.....here's my incoming log:
64.246.79.243 137
218.64.91.173 137
130.37.56.127 137
209.202.101.214 137
210.230.112.187 137
63.136.112.231 137
218.77.226.141 137
61.0.208.5 137
210.94.46.141 137
203.229.163.4 137
200.168.132.44 137
200.170.244.101 137
80.105.217.198 137
200.82.170.213 137
216.147.137.64 137
211.191.41.226 137
200.35.100.80 137
62.175.156.207 137
151.24.217.33 137
64.170.52.138 137
80.6.125.129 137
206.28.189.39 137
200.204.179.6 137
200.228.81.73 137
206.49.32.178 137
64.173.8.229 137
62.11.19.181 137
193.194.184.71 137
218.232.248.51 137
212.145.131.33 137
148.244.164.31 137
61.130.126.76 137
212.175.169.249 137
212.253.186.194 137
151.24.19.153 137
81.112.48.123 137
61.75.47.2 137
213.176.191.138 137
200.72.214.10 137
200.151.152.200 137
210.91.161.87 137
62.83.123.215 137
193.133.125.109 137
64.32.122.138 137
61.60.158.229 137
217.53.4.187 137
61.11.52.74 137
193.225.172.158 137
218.144.133.34 137
61.77.191.45 137
213.81.218.11 137
61.140.50.8 137
211.221.88.95 137
61.82.102.72 137
195.132.22.75 137
61.229.90.231 137
200.253.200.27 137
203.232.233.88 137
211.91.111.84 137
219.93.229.118 137
200.167.225.51 137
200.253.188.66 137
80.25.28.206 137
213.46.28.70 137
194.90.152.84 137
217.58.55.145 137
218.86.175.137 137
62.174.164.167 137
63.84.237.174 137
213.22.235.160 137
There are no requests for port 137 going out either.....must be a worm out there
-
November 6th, 2002, 05:25 PM
#12
Originally posted here by Deranger187
Personally, my firewall is set up to block certain ports, and 137 - 139 is one of them, I usually block TCP and UDP if posible. You might wanna do same, that way you wont have to worry about it. If my memory serves me right 139 is like a finger...info look up. All you IRC people might know what finger cmd is.
Actually, just to clarify, ports 137-139 are used for NetBIOS, not Finger....
-
November 6th, 2002, 06:14 PM
#13
Ratman...look at the web site I mentioned...You will see that over 50% of the scans in North America are currently on port 137...and they have largely been attributed to bugbear. Would be a very good thing to block udp 137, udp 138, tcp 139 (netbios), and udp/tcp 445 (win2k netbios) at your router/firewall. Those protocols are so inherently insecure that you shouldn't be allowing the outside world to connect in to them...
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
November 6th, 2002, 08:26 PM
#14
Thanks for all the suggestions here, I looked at my logs as soon as I read Ratman's post and found that I am being bombarded on port 137 too. I noticed it yesterday but didn't have time to do anything with it.
-
November 8th, 2002, 05:57 AM
#15
Junior Member
Also people probe those ports. If open they can gather your account name's/ simple passwords and shares on your pc remotely. There is many tools that do it. You can use a program via DOS called NBTdump to check if your system spits out any information.
Usually if your running a firewall nothing will be sent by (based on my experience, have you.)
-
November 8th, 2002, 07:30 AM
#16
Junior Member
Question about Port Attacks
This is a stupid question but I was reading where some of the members are having 137 port attacks/scans... So I checked my firewall (Zone Alarm).... In a matter of about 3 hours I have had 4000 attempted attacks.... I am trying to understand ports and what all the acronyms mean that go along with computer speech.... What does Source DNS mean? And how do I block mt NetBios ports and anyother port for that matter... I have checked around and even asked some people who "say" they know about computers but so far no luck.....
Thanks,
-
November 8th, 2002, 07:46 AM
#17
Dreamer:
Source DNS in ZoneAlarm is just the name of the computer which attempted to connect to your computer on that port (can be resolved to and from IP addresses). To block your netbios ports and any other ports, get a firewall like Tiny or Kerio. All you have to do then is create a rule that doesn't let any connections in on ports 137-139 for netbios blocking. And you can block any other ports you like as well. The best thing about these firewalls is you have far more control over what goes on. ZoneAlarm is probably blocking your netbios ports anyway, but Tiny/Kerio are great for learning more about ports etc.
good luck
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|