Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows mystery udp/137 to udp/137

From: "Vanderbilt, Teresa" <tvanderb () OZARKS EDU>
Date: Tue, 22 May 2007 09:14:46 -0500
I'm having the same problem and have been banging my head against the
wall for weeks now. Please share if you find the answer.

Thanks,
Teresa Vanderbilt
University of the Ozarks 

-----Original Message-----
From: H. Morrow Long [mailto:morrow.long () YALE EDU] 
Sent: Tuesday, May 22, 2007 8:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows mystery udp/137 to udp/137

Are they running WINS?   Was any computer was contacting them on UDP  
port 137?

137 is the NetBIOS name service and is used by WINS,
-- deprecated in today's Windows versions but many computers can still
attempt to use it.  See:

http://www.iss.net/security_center/advice/Exploits/Ports/137/

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

On May 22, 2007, at 9:02 AM, Clyde Hoadley wrote:


We have several Windows servers that regularly attempt to send udp 
packets from port 137 to non existent IP address udp port 137.  These 
get blocked by the firewall.  The Sys Admins haven't been able to 
figure out why they do it.  Has anyone encountered this problem 
before?

Deny udp src inside:10.10.18.64/137 dst outside:169.254.221.242/137 
Deny udp src inside:10.10.18.64/137 dst outside:169.254.221.242/137 
Deny udp src inside:10.10.18.64/137 dst outside:192.168.81.1/137 Deny 
udp src inside:10.10.18.64/137 dst outside:192.168.81.1/137

--
Clyde Hoadley
Director of Information Security
Information Technology
Metropolitan State College of Denver
Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
303-556-5074 | CELL 720-232-4737
www.mscd.edu
Previous By Date Next
Previous By Thread Next

Current thread: