Firewall Wizards mailing list archives
Re: Help w/ Port 137 Traffic
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 13 Oct 2002 14:57:10 +0200
"Paul D. Robertson" wrote:
http://www.ciac.org/ciac/W32_BugBear_info.html [...] I suspect the worm does a lookup prior to an infection
This is _possible_. If the worm prefers logging on with "computername\username" rather than just "username", it would have to get the netbios host name first. I don't see _why_ it'd be doing it; I'm just saying it _could_.
, but I really don't know- I don't run Windows, so I haven't played with doing NetBIOS stuff and don't know what the normal programming sequence is for enumerating shares, and as we don't let customers expose NetBIOS ports at all, this was never high on my list of things to worry about.
I've personally never seen share enumeration being done over port 137. I have only seen it done over 139, and I guess it can be done over port 445 as well. "nbtstat -a computername" however returns a list of "names" associated with the box. This includes: the computer name, the domain/wg name, and the name of the currently logged on user. How this can help a worm, i don't know. Anyway, what I do know is that you don't access shares (infect things) over port 137. This happens over 139/445. My guess would be that ciac got it (the _important_ facts) wrong. I do know for a fact that their recommendations are a bit off; they only recommend to firewall ports 137--139, which is a bit narrow for my taste; it exposes the portmapper (135) as well as port 445. /Mike, off to write a note to ciac about fixing their documentation -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Vincent Haverlant (Oct 15)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- <Possible follow-ups>
- RE: Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Frank Knobbe (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 13)
- Re: RE: Help w/ Port 137 Traffic Devdas Bhagat (Oct 14)