Re: Listener on ports 137, 138, 139 Not something to worry about ??

["Marc R. Braun" <marc.braun () gmx net>]

This can be def. something to worry about. It only depends on the 
network interface they are bound to. First of all saying it's harmless 
except for ... is very dangerous with these services. The correct way to 
give an advice here surely is they can wreck havock unless...
The unless here is the network interface they are bound to. Generally 
speaking i agree that they
are mostly harmless on your internal network but even this depends on a 
few factors.
However if bound to your external interface this is def. something to 
worry about. Make sure
they are not connected to that one. How to disable them for a specific 
nic depends on your
operating system. If you are unsure there's a little test scanner 
running at grc.com which does
a portscan for certain services. Beware that this scan is only of 
limited general use but it
does detect NetBios sessions.
A little note about NetBios: There're tons of scanner out there hunting 
for misconfigured computers
that expose their windows shares to the public. this can be 
extraordinary dangerous if you are running them without your knowledge 
and even worth: probably without any authentication.
You can imagine what this can do :)


Matt wrote:

> Hello!
>
> What you are describing is not a virus or backdoor.
> These listening connections are initiated by default whenever you have
> Windows file and printer sharing installed and running. They are all a part
> of the NETBIOS protocol which is used to support file and printer sharing.
>
> They listen prior to you connecting to the ADSL, because they are set as
> listening immediately when you enter Windows.
> Port 137 is Netbios NAME, 138 is Netbios DATAGRAM, and 139 is Netbios
> SESSION, and none of them are anything to be worried about (Except, read
> below)
>
> Netbios is mostly used for local area networks and works independent to your
> ADSL (Though netbios can work over wide area networks as well).
> If you are not using file or printer sharing on your computer, then it is
> safe AND wise to turn off this service. Misconfigured file and printer
> sharing can allow anyone over the internet to access files, and do almost
> anything you can do to them if you have any folders on your computer shared,
> and many of the recent worms have done just that.
>
> Here is a helpful website on turning it off if you wish to.
>
> http://help.twspeed.com/security/pfsharingwindows.asp
>
>
> Hope this helps.
>
> -Matt
>
> ----- Original Message -----
> From: "Rune Berntzen" <rbern8 () online no>
> To: "Security Basics" <security-basics () securityfocus com>
> Sent: Tuesday, October 15, 2002 12:27 PM
> Subject: Listener on ports 137, 138, 139
>
>
>  
>
> > Hi all,
> >
> > When checking port activity using TCPView I notice that I have a =
> > listener on ports 137,138 and 139.
> > The Local Address seems  to be from a Class B network, 169.254.0.0, =
> > which I trace to something called=20
> >
> > BLACKHOLE-1.IANA.ORG
> >
> > using SmartWhois.
> >
> > The funny thing is that the LISTENING  entries are visible in TCPView =
> > even before I connect to my ADSL provider.
> >
> > Anybody has an idea about what this can be.
> >
> > BTW, I am running Norton Internet Security 2001 with updatet virus =
> > definitions.
> >
> > Thanks in advance,
> > Rune
> >    
>
>