Re: Help w/ Port 137 Traffic

[Mikael Olsson <mikael.olsson () clavister com>]

"Paul D. Robertson" wrote:
> http://www.ciac.org/ciac/W32_BugBear_info.html
> [...]
> I suspect the worm does a lookup prior to an infection

This is _possible_. If the worm prefers logging on with 
"computername\username" rather than just "username", it would have to 
get the netbios host name first. I don't see _why_ it'd be doing it;
I'm just saying it _could_.

> , but I really don't
> know- I don't run Windows, so I haven't played with doing NetBIOS stuff
> and don't know what the normal programming sequence is for enumerating
> shares, and as we don't let customers expose NetBIOS ports at all, this
> was never high on my list of things to worry about.

I've personally never seen share enumeration being done over port 137.
I have only seen it done over 139, and I guess it can be done over 
port 445 as well.

"nbtstat -a computername" however returns a list of "names" associated
with the box. This includes: the computer name, the domain/wg name,
and the name of the currently logged on user.  How this can help a worm,
i don't know.


Anyway, what I do know is that you don't access shares (infect things) 
over port 137.  This happens over 139/445.

My guess would be that ciac got it (the _important_ facts) wrong. 
I do know for a fact that their recommendations are a bit off; they only 
recommend to firewall ports 137--139, which is a bit narrow for my taste; 
it exposes the portmapper (135) as well as port 445.

/Mike, off to write a note to ciac about fixing their documentation

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards