Firewall Wizards mailing list archives
Re: Help w/ Port 137 Traffic
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sun, 13 Oct 2002 08:29:26 -0400 (EDT)
On Sun, 13 Oct 2002, Mikael Olsson wrote:
Hmm. I would have thought that bugbear & co would result in port 139 (nbsession) activity.
Yep, that's probably right, but the first reference I pulled up this morning said: "Spreads via e-mail and/or network shares using port 137." http://www.ciac.org/ciac/W32_BugBear_info.html I don't know if that means (A) the 137 lookups happen prior to a 139 infection, (B) there is a 137 overflow and it's got something to do with having a share available, or (C) They're wrong. I suspect the worm does a lookup prior to an infection, but I really don't know- I don't run Windows, so I haven't played with doing NetBIOS stuff and don't know what the normal programming sequence is for enumerating shares, and as we don't let customers expose NetBIOS ports at all, this was never high on my list of things to worry about. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Vincent Haverlant (Oct 15)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- <Possible follow-ups>
- RE: Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Frank Knobbe (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 13)