Security Basics mailing list archives
RE: Listener on ports 137, 138, 139
From: <David () cawdgw net>
Date: Wed, 16 Oct 2002 21:52:12 +0200
you did not specify any details of your network, but I'm betting you are running Millennium, or XP, or win 2000 on some machine on your network, and that you have a NIC card in it. Why? 137, 138, and 139 are netbios (read windows) ports for announcing themselves to each other in shares and network neighborhood. The IP address is in the private address range which is "blackholed" or non-routable on the internet (actually, some do get routed, but that's because some ISP's don't follow the RFC's). Window Millennium, XP and Win2000 all use this address scheme for the instant network "feature" they have. if there isn't a DHCP server on the network, if you don't statically assign the network card an IP address, it assigns one randomly from this private address range. other Millennium, XP, or Win2000 boxes coming on the network the same way will announce their intention of using one of these IP's and if there isn't anyone objecting they have that IP, the machine using the one it announced. so, your windows box set it's self up with that IP, and is listening on 137, 138, and 139 for other windows machines...... easy eh? make sure your firewall is blocking those ports from and to the internet. no need to share with strangers D. Weiss MCSE -----Original Message----- From: Rune Berntzen [mailto:rbern8 () online no] Sent: Tuesday, October 15, 2002 7:27 PM To: Security Basics Subject: Listener on ports 137, 138, 139 Hi all, When checking port activity using TCPView I notice that I have a = listener on ports 137,138 and 139. The Local Address seems to be from a Class B network, 169.254.0.0, = which I trace to something called=20 BLACKHOLE-1.IANA.ORG using SmartWhois. The funny thing is that the LISTENING entries are visible in TCPView = even before I connect to my ADSL provider. Anybody has an idea about what this can be. BTW, I am running Norton Internet Security 2001 with updatet virus = definitions. Thanks in advance, Rune
Current thread:
- Listener on ports 137, 138, 139 Rune Berntzen (Oct 16)
- RE: Listener on ports 137, 138, 139 David (Oct 17)
- RE: Listener on ports 137, 138, 139 Gary Axten (Oct 17)
- Re: Listener on ports 137, 138, 139 Matt (Oct 17)
- Re: Listener on ports 137, 138, 139 Not something to worry about ?? Marc R. Braun (Oct 21)
- Re: Listener on ports 137, 138, 139 Scott Fendley (Oct 17)
- Re: Listener on ports 137, 138, 139 Rune Berntzen (Oct 17)
- Re: Listener on ports 137, 138, 139 David Corking (Oct 17)
- Re: Listener on ports 137, 138, 139 Devdas Bhagat (Oct 17)
- <Possible follow-ups>
- RE: Listener on ports 137, 138, 139 Matt Schaelling (Oct 17)
- RE: Listener on ports 137, 138, 139 Bruyere, Michel (Oct 17)