Security Basics mailing list archives

Re: Listener on ports 137, 138, 139

From: "Rune Berntzen" <rbern8 () online no>
Date: Thu, 17 Oct 2002 11:29:53 +0200

I guess the trace to BLACKHOLE-1.IANA.ORG confused me here.
For more info on this Check out www.iana.org

I also did a security check (The SYmantec online check) on the assigned IP
address, and it passed with colours.

I will disable the CLient fir Microsoft Networks and see how it goes,

Thanks a lot for your help.

Rune

----- Original Message -----
From: "Scott Fendley" <scottf () uark edu>
To: "Rune Berntzen" <rbern8 () online no>; "Security Basics"
<security-basics () securityfocus com>
Sent: Thursday, October 17, 2002 1:04 AM
Subject: Re: Listener on ports 137, 138, 139

I will take a crack at this one.   These port numbers are used by
Microsoft's net-bios protocol.  This is the protocol that you are using to
map drives between workstations among other uses.

The address in question is in a reserved address space that the MS TCP/IP
stack uses until a DHCP/bootp response has been received.

So all of this is normal operating environment on your windows
PC.  Personally, if you do not find the need to map drives or browse the
Microsoft Network, I would drop the Client for Microsoft Networks and the
Netbeui/netbios capabilities on your computer.  If you must map drives,
then I would set your firewall software to reject netbios traffic except
from a particular IP or IP block.  This will minimize your exposure to the
outside world.

Hopefully, I haven't lost you in my response too much.  If you have more
questions about this above, I will try to assist you as much as I can.

Scott

At 07:27 PM 10/15/2002 +0200, Rune Berntzen wrote:

Hi all,

When checking port activity using TCPView I notice that I have a =
listener on ports 137,138 and 139.
The Local Address seems  to be from a Class B network, 169.254.0.0, =
which I trace to something called=20

BLACKHOLE-1.IANA.ORG

using SmartWhois.

The funny thing is that the LISTENING  entries are visible in TCPView =
even before I connect to my ADSL provider.

Anybody has an idea about what this can be.

BTW, I am running Norton Internet Security 2001 with updatet virus =
definitions.

Thanks in advance,
Rune


---
Scott Fendley                           scottf () uark edu
Systems/Security Analyst                (479) 575-2022
University of Arkansas                  (479) 575-4753 fax

Current thread:

Listener on ports 137, 138, 139 Rune Berntzen (Oct 16)
- RE: Listener on ports 137, 138, 139 David (Oct 17)
- RE: Listener on ports 137, 138, 139 Gary Axten (Oct 17)
- Re: Listener on ports 137, 138, 139 Matt (Oct 17)
  - Re: Listener on ports 137, 138, 139 Not something to worry about ?? Marc R. Braun (Oct 21)
- Re: Listener on ports 137, 138, 139 Scott Fendley (Oct 17)
  - Re: Listener on ports 137, 138, 139 Rune Berntzen (Oct 17)
- Re: Listener on ports 137, 138, 139 David Corking (Oct 17)
- Re: Listener on ports 137, 138, 139 Devdas Bhagat (Oct 17)
- <Possible follow-ups>
- RE: Listener on ports 137, 138, 139 Matt Schaelling (Oct 17)
- RE: Listener on ports 137, 138, 139 Bruyere, Michel (Oct 17)