July 7th, 2003, 09:58 AM
Cannot Disable Netbios pt139
I've searched through some of the existing threads and couldn't find the info I need and it's essential I figure this out as soon as possible. But before I describe my problem, I just want to say that this is an AWESOME community based on what I've read so far and as a new member, I can foresee that I will be enjoying these forums immensely. Also, my profound apologies if I am posting this issue under the wrong forum.
Okay, I have disabled netbios on my win2kpro machine in "network control panel > lan > properties > tcp/ip > advanced > wins" and also in "services", however when I run a netstat -a I'm showing all kinds of open ports and I know that two of them (139 and 137) are ports I do not want open. 139 is listening and I can't figure out how to close it down. I ran antiyports.exe and found that the process mapped to it is "system" but even while logged on as administrator I'm unable to end that process in task manager (didn't think it would work, but tried it). I've also completely uninstalled the file and print sharing protocol, though it was disabled since install.
I'm afraid my system has been somehow compromised despite running zone alarm pro (fully updated) and NAV. I have been unable to successfully run a full system scan with NAV, however I did go to symantec's site and ran their web-version. It came back clean as well as an AVG scan I performed. The problem when I run NAV is that it gets to 99% and hangs everytime. I reinstalled it and ran live update but still it fails to complete a full system scan. It seemed to keep hanging on a file in the windows media player directory so I completely uninstalled that component and it's associated update to version 9, but now it still hangs on different files.
If I have to fdisk and reinstall from backups I will, but my PGP key was in a folder on the local drive and even though it was encrypted with win2k's built-in encryption utility I'm afraid that someone may have lifted it. I had removed the win2k encryption recovery key, but stupidly put it back on my system temporarily in a different directory so I could back it up to cd and never wiped it.
I'm sorry for the long-winded post but I really need help figuring out if I've been pillaged or if this might just be some kind of anomaly. I can paste in a copy of my netstat results if it might help anyone.
Thanks a 11110100001001000000 for _any_ help!
July 7th, 2003, 10:15 AM
**Moved thread from Firewall & Honeypots to Microsoft Security**
July 7th, 2003, 10:20 AM
If you shut the netbios in the IP stack W2K will continue to listen on NetBios. (Not sure why that is).
Try the following, that should help:
- Right click on 'My Computer > Properties > Hardware > Device Manager'.
- Click on 'View > Show Hidden Devices'.
- Click on 'View > Devices by Connection'.
- Right click on 'NetBios over TCP/IP > Properties'
- Driver Tab > Type > Disabled.
- Click OK.
I think this is the only way to completely disable NetBios on Windows 2000.
July 7th, 2003, 04:42 PM
Why don't you just remove completely the service.
network control panel > lan > properties >
Here u should the list of networking protocol being used. One is Netbios, just kill it!
[shadow] SHARING KNOWLEDGE[/shadow]
July 7th, 2003, 05:00 PM
or you could just use a firewall. But thats just a band-aid.
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
July 7th, 2003, 05:13 PM
For what you're concerned with, maybe simply turning off your server service may sufice.
C:\>net stop server
The Server service is stopping.
The Server service was stopped successfully.
...and/or disabling it in Services.
This will kill hidden shares (ipc$) and will prevent many nasty things...
July 7th, 2003, 05:39 PM
On XP/2000, go into Control Panel > Network Connections > [Local Area Connection X]
Click on the General tab
Select TCP/IP, then Properties
Click the WINS tab
Click Disable NetBIOS over TCP/IP
Drop to a command prompt and type netstat -an
You will no longer see port 139 on the list
Also, stopping the CIFS service, which is 445, is suggested. This has been addressed by someone else though. I will add that you should disable both of these to achieve the desired results as CIFS can be used in the same fashion as NetBIOS.
Hope this helps.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
July 7th, 2003, 06:13 PM
you might do a simple thing that i did make a batch file in your or at all users startup dir
and use commands that delete shares like this:
net share /delete C$ /y
net share /delete D$ /y
net share /delete H$ /y
net share /delete ADMIN$ /y
net share /delete IPC$ /y
this one works for me... you might change or add more depend on how much hard dsik you have also might be other shares like shared docs to remove...
this one is easy and do it automaticly every time you start the computer...
also a firewall might block attacks
July 8th, 2003, 06:57 AM
Thanks a lot everybody, the advice you all gave me was right on the dot! I'm going to help 5 people this week to put a little something back into the good karma pool
Unfortunately, when I disabled netbios completely via device manager my sorry-@55 isp wouldn't connect. Apparently it needs netbios to connect or something. I'm still in school and funds are tight, but I'll kick netzero to the curb and cut my ramen noodle rations in half to scrap up an extra $10 bucks a month for an isp that doesn't require me to leave my system wide open to hack attacks in order to get online.
Is anyone else using netzero in here? Probably not, seeing how it bites and all but I was just wondering if anybody else has found that it's necessary to run netbios to use their service. I'll be speaking with their tech people tomorrow to get a definitive answer on whether netbios actually does have to be running to connect with their lame service. I have run netstat's a million times and I like to think I would've noticed open ports 137 / 139 if they had been open. I'm thinking maybe they changed something.
Well, anyway, thanks again for all your help! This is an outstanding forum.