Re: PORT 137

[Tim Yocum <tim () yocum org>]

Jamie,

Port 137 is part of Windows' NetBIOS service, used by Windows
machines to resolve WINS names and such.

Those entries probably are there because folks are using nbtstat
to see what's open on that machine, or they're resolving its Windows
machine name.

There's a .vbs worm about a year old that causes a lot of port 137
connections/lookups, but I'm not sure if it's still as hot now as
it was back then. If you see connections to port 139 as well as 137,
I'd be a bit more concerned as that would tend to indicate someone
is trying to access any open shares on that host.

- Tim

In previous mail, Arnold, Jamie said:
> We've seen a large amount of connection attempts to a specific machine here.
> We're using FlowData to pull this info.  Anyone have any ideas of what this
> may be?
>
> Thanks
>
> Jamie 
> > 000d 128.226.189.170  0022 66.24.217.4       11 89   89    1  
> >         78
> >     
> > 0

*snip*