Re: Help w/ Port 137 Traffic

["Paul D. Robertson" <proberts () patriot net>]

On Sat, 12 Oct 2002, Mike McCandless wrote:

> I have seen an increase in (unsolicited) traffic to port 137 at my
> firewall. My default

You're likely seeing one of the Windows-based worms.

> firewall policy (using iptables) is to deny, so 137 traffic is not
> getting through.  I have used Ethereal (a network sniffer) to see the
> content of the UDP packets and the consistent theme is:
>
> In the Flags section - broadcast packet is 1 (I assume this means yes)
> In the Queries section
> - Name is a bunch of 0's and Workstation/Redirector in parens
> - Type is NBSTAT
> - Class is inet
>
> Can someone tell me what the source of these are?  I have done a reverse
> DNS lookup on several source IPs and don't see any pattern.

Likely  Bugbear, which is gaining significant momentum:

http://www.trusecure.com/knowledge/hypeorhot/2002/bugbear090302.shtml

We say "network shares," not explicitly "port 137"- either that's because 
of an update or because we mandate blocking of 137 in our customer base.  
There are links on that page to a few vendors who may give greater detail.

I'm not sure if a scan of 36794 would turn up infected hosts, but it's 
likely.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards