Security Basics mailing list archives
RE: UDP Port 137 Question
From: Darrell Porter <dporter () cpp com>
Date: Tue, 27 Jan 2004 19:13:07 -0800
Well, the real solution is to stop running Microsoft operating systems. :P Seriously though, constant vigilance is a good start. If you maintain a baseline of the activity your servers do normally, you can more easily spot abnormalities before they cause you too much grief (or as happened to one of my colleagues, before the FBI comes knocking on your door for having a machine that continuously tried hacking them). Darrell Porter Director of Network Operations CPP, Inc. Davies-Black Publishing http://www.cpp.com 800-624-1765 This email, and any files transmitted with it are confidential and intended solely for the use of the addressee. This email may contain information protected by attorney-client privilege. If you are not the intended addressee, then you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. CPP, Inc. will not be held liable to any person resulting from the use of any information contained in this email. CPP, Inc. will not be liable to any person who adds or deletes information contained in this email, and will not be held liable to any person as a result of any additions or deletions of information originally contained in this email. If you received this e-mail in error or are not the intended recipient of this message, contact the sender, darrell.porter () cpp com and destroy all copies of this e-mail, including any printed or other physical format. This e-mail, and any files transmitted with it contain information that is CONFIDENTIAL AND PROPRIETARY to CPP, Inc. Unauthorized disclosure of this information is in violation of the policies and procedures of CPP, Inc. and the laws of the State of California (California Penal Code Section 502) and the United States of America (title 18 - Chapter 47, Section 1030) and international statues and is subject to criminal and civil penalties. All information displayed, transmitted or carried on the CPP, Inc. network (CPP) including, but not limited to, files, e-mail messages, directories, guides, news articles, opinions, reviews, text, photographs, images, illustrations, audio clips, video clips, trademarks, service marks and the like, (collectively the "Content") is protected by copyright and other intellectual property laws. -----Original Message----- From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com] Sent: Tuesday, January 27, 2004 6:21 To: Darrell Porter Cc: security-basics () securityfocus com Subject: RE: UDP Port 137 Question Thanks Darrell, That's what I had thought (and posted my views) but the original poster ( "John Smithson" <why1234 () hotmail com>) had never said what the resolution was. There were a number of replies that correlated with the netbios, and others that said it may be a virus. I was just curious to see what the actual problem was. I posted my request for a resolution to the group, as I do not seem to get all of the mailing list messages or I get them very delayed sometimes. I didn't want to miss out on it! Darrell Porter <dporter () cpp com> 01/26/2004 09:20 PM To "'JGrimshaw () ASAP com'" <JGrimshaw () ASAP com> cc security-basics () securityfocus com Subject RE: UDP Port 137 Question http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 will be most enlightening. Computer Browser The Computer Browser system service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers to view network domains and resources. Computers that are designated as browsers maintain browse lists that contain all shared resources that are used on the network. Earlier versions of Windows programs, such as My Network Places, the net view command, and Windows Explorer, all require browsing capability. For example, when you open My Network Places on a computer that is running Microsoft Windows 95, a list of domains and computers appears. To display this list, the computer obtains a copy of the browse list from a computer that is designated as a browser. System service name: BrowserApplication protocol Protocol Ports NetBIOS Datagram Service UDP 138 NetBIOS Name Resolution UDP 137 NetBIOS Name Resolution TCP 137 NetBIOS Session Service TCP 139 -----Original Message----- From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com] Sent: Monday, January 26, 2004 9:11 Cc: security-basics () securityfocus com Subject: Re: UDP Port 137 Question Hi everyone, I am curious as to what the resolution for this was. I did not receive a message that "X" fixed it; did anyone receive one? Gurus, I have couple of servers that are constantly trying to go outbound on UDP Port 137 (Nbname). The event is occurring 4-5 times per second. All outbound traffic is being dropped by my firewall. However, I am just trying to find out what is the reason - I have AV on the server with latest definition - I have ran manual AV Scan - I have ran Welchia / Nimda / etc removal tool - I have ran Spyware removal tool - All of them comes up clean. The outbound address are for example: 156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 -- 145.46.77.202-241 - There are more of these network ranges ( I have already done whois on all these IP range) Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest HF. Please help me to isolate what I am facing? This should not be a normal Traffic Pattern, since only couple of my servers are producing this traffic TIA --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: UDP Port 137 Question, (continued)
- Re: UDP Port 137 Question JGrimshaw (Jan 26)
- Re: UDP Port 137 Question H Carvey (Jan 21)
- Re: UDP Port 137 Question Jeff Friend (Jan 21)
- Re: UDP Port 137 Question H Carvey (Jan 22)
- RE: UDP Port 137 Question Mark A. Villanova (Jan 26)
- RE: UDP Port 137 Question P Cannon (Jan 27)
- RE: UDP Port 137 Question Sarbjit Singh Gill (Jan 28)
- Re: UDP Port 137 Question John LeMay (Jan 28)
- RE: UDP Port 137 Question P Cannon (Jan 27)
- RE: UDP Port 137 Question Darrell Porter (Jan 27)
- RE: UDP Port 137 Question JGrimshaw (Jan 27)
- RE: UDP Port 137 Question Darrell Porter (Jan 28)
- RE: UDP Port 137 Question Patrick A. Middleton (Jan 28)
- RE: UDP Port 137 Question John Smithson (Jan 28)
- RE: UDP Port 137 Question Depp, Dennis M. (Jan 28)