Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: firewall blocked attempt on port 139

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    320

    firewall blocked attempt on port 139

    Hey all, My firewall (Zone Alarm) Blocked a connection attempt on port 137(NetBIOS if I remeber correctly) . Normally, I wouldn't have batted an eye, but the odd thing is that the computers on my local network were all off and it came from an external IP (The Internet). Is this a worm, or what ? I am not serving anything off any of my home computers so I don't know why an external IP would be trying to connect on my NetBIOS port.

    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Well what is more weird is if you are behind a router. Traffic should not be let through to your computer on port 139 if it is setup right.

    But I wouldnt worry too much about it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Not to clear about your system, but if you are connected to the internet then you will get these probes.............they are bots/infected machines running automatic scans of IP address ranges mostly.

    Over here I get quite a lot of them, they used to mostly come from machines on my ISP sub-net. It could also be some skiddie messing around, but the chances of finding you would be pretty remote I would have thought.

    At the end of the day it is not the ones your firewall blocks that matter................it is the ones it doesn't

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    It has been asked - somehow : What is your LAN setup? It looks like you have one
    machine acting as "gateway" for the other boxes.
    Then, it is explainable that you receive 137 attempts from outside on that machine.
    I also bet, the source was one machine within the subnet of your ISP you are in.

    Otherwise: Configure your router properly, which means in short:
    Disallow any incoming traffic except for servers possibly running within your network.


    What is a request on [UDP] 137? (as mentioned in your post, disregarding the title)

    This might be a WINS broadcast request, with high probability. WINS is an older way for
    NetBIOS name resolution and is sent by default from a lot of Windows machines.
    Often, it is nothing to worry about (but I have already proven in earlier posts that I am not
    paranoid enough )

    If it is incoming traffic on Port 139, then it might be some attempt, as mentioned by
    nihil. First, make sure that such packages are dropped at your firewall, second, and
    in any case, patch your machines.

    Cheers
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  5. #5
    Junior Member
    Join Date
    Dec 2002
    Posts
    3

    Re: firewall blocked attempt on port 139

    Originally posted here by dmorgan
    Hey all, My firewall (Zone Alarm) Blocked a connection attempt on port 137(NetBIOS if I remeber correctly) . Normally, I wouldn't have batted an eye, but the odd thing is that the computers on my local network were all off and it came from an external IP (The Internet). Is this a worm, or what ? I am not serving anything off any of my home computers so I don't know why an external IP would be trying to connect on my NetBIOS port.
    Are you sure it isn't just an attempted pop up spam? I read somewhere that sometimes they connect on alternate ports etc.
    none

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    The thing is, on my network, I got this; DSL Modem --> little linksys switch --> 2 computers (1 Linux) (1 win XP). Now all my network traffic is DHCP, starting at 192.168.0.2 (192.168.0.1 is my DSL Modem). This incoming (UDP) on port 137 was from 66.***.***.*** or 88.***.***.*** It was 137, I was mistaken in saying 139. Anyways thanks guys.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Are you sure that 'little linksys switch' is *just* a switch? Depending on the DSL modem you have, you could be wide-open to internet traffic (except as filtered by your ISP). I don't know a LOT about DSL, having used it briefly, but I know most of the cable modems Ive used don't really filter anything.

    You might consider putting a second NIC in the Linux box and running IPTables, dhcpd, etc. ...using it as a router/firewall. There are some good howto's on this...I did it for years before buying a Router/Switch/Firewall appliance thing-a-ma-jig.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    Originally posted here by nihil
    Not to clear about your system, but if you are connected to the internet then you will get these probes.............they are bots/infected machines running automatic scans of IP address ranges mostly.

    Over here I get quite a lot of them, they used to mostly come from machines on my ISP sub-net. It could also be some skiddie messing around, but the chances of finding you would be pretty remote I would have thought.

    At the end of the day it is not the ones your firewall blocks that matter................it is the ones it doesn't
    Hi nihil,

    I guess i have a question for you...
    Some days back i was looking at my firewall daily logs and i noticed a weird thing a web site(don't want to give out name it was a pakistani web site) trying to connect on a perticular port on my machine(sorry i don't remember port number).

    Then some days later anather weird incident a perticular Ip address tried to connect to a perticular port on my system.
    That Ip Address was from somewhere in amsterdam.
    Now the most important part of this is that my system is connected to internet through a proxy server(Which basically means that it is a illegal connection).
    i am not sure what they were trying to do specially that web site.

    Any idea???
    nobody is perfect i am nobody

  9. #9
    Junior Member
    Join Date
    Nov 2003
    Posts
    12
    (Which basically means that it is a illegal connection)......why would connecting through a proxy be illegal?
    jazz is a state of mind...

  10. #10
    Greeting's

    I agree with nihil, they are nothing but probes but anyway if you want to be extra secure you can right click on these ip's (in the logs section of zonealarm firewall) and add them to "untrusted zone" this will help because zonealarm will not let your compuer communicate with that IP address.


    Reply to littlenick's post :

    If you can you should give us atleast detail of port at which these websites were trying to connect too, it might help us get a more precise reply also including you oprating system and the firewall you use should help.


    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •