Re: SMB / NetBIOS Connections

[Bryan Andersen <bryan () visi com>]

"Jonathan R. Dundas" wrote:
> We see constant connection attempts to port 137 to existing hosts on our
> subnet, even though the attempts are denied.  Packets claiming to be from
> Private/reserved source addys are a significant portion of them, maybe an
> average of 1 host a day tries to connect from a private addy.  Weird.  I've
> been reading this list for about two months ago on and off, has this topic
> been discussed before?

Yes port 137 activity has been discussed here before.

Also look at CERT's current activity page:
    http://www.cert.org/current/current_activity.html
It links to a couple of articles on netbios activities.

As others have mentioned there are two main types of port 137
activities.  One is the poorly setup PC doing a net bios name
lookup as it's trying to download a web page.  The other is a
scan of machines looking for open shares.  On my micro subnet
I see about even activity between the two.  Almost all the port
137 accesses that I get that only hit my web server's IP# are
in conjunction to web page downloads from the same machine.
All the scans that hit all of my IP addresses have no related
web server activity.

As for what I do with them.  I ignore the ones that come in
with web page downloads.  All the rest I notify the
ISP/Company/etc where they come from with a relatively stock
letter warning of netbios worms and pointing them to CERT.

--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |