RE: Listener on ports 137, 138, 139

[<David () cawdgw net>]

you did not specify any details of your network, but I'm betting you are
running Millennium, or XP, or win 2000 on some machine on your network, and
that you have a NIC card in it.

Why? 137, 138, and 139 are netbios (read windows) ports for announcing
themselves to each other in shares and network neighborhood. The IP address
is in the private address range which is "blackholed" or non-routable on the
internet (actually, some do get routed, but that's because some ISP's don't
follow the RFC's). Window Millennium, XP and Win2000 all use this address
scheme for the instant network "feature" they have. if there isn't a DHCP
server on the network, if you don't statically assign the network card an IP
address, it assigns one randomly from this private address range. other
Millennium, XP, or Win2000 boxes coming on the network the same way will
announce their intention of using one of these IP's and if there isn't
anyone objecting they have that IP, the machine using the one it announced.

so, your windows box set it's self up with that IP, and is listening on 137,
138, and 139 for other windows machines......


easy eh?

make sure your firewall is blocking those ports from and to the internet. no
need to share with strangers

D. Weiss
MCSE

-----Original Message-----
From: Rune Berntzen [mailto:rbern8 () online no]
Sent: Tuesday, October 15, 2002 7:27 PM
To: Security Basics
Subject: Listener on ports 137, 138, 139


Hi all,

When checking port activity using TCPView I notice that I have a =
listener on ports 137,138 and 139.
The Local Address seems  to be from a Class B network, 169.254.0.0, =
which I trace to something called=20

BLACKHOLE-1.IANA.ORG

using SmartWhois.

The funny thing is that the LISTENING  entries are visible in TCPView =
even before I connect to my ADSL provider.

Anybody has an idea about what this can be.

BTW, I am running Norton Internet Security 2001 with updatet virus =
definitions.

Thanks in advance,
Rune