Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FROM port 137 TO port 137

From: Erwin Geirnaert <egeirnaert () REFERENCE BE>
Date: Mon, 5 Mar 2001 09:03:31 +0100
Hi Bryan

I may add to this that there is a new tool available called ShareSniffer
(www.sharesniffer.com) that will scan a network for open shares. They
promote it as the ultimate Napster program.

So I think that there will be an increase of those scans on port 137. But
that shouldn't be to hard to filter on the border-router or with a personal
firewall.

Erwin

-----Original Message-----
From: Bryan Bradsby [mailto:Bryan.Bradsby () CAPNET STATE TX US]
Sent: zaterdag 3 maart 2001 8:03
To: INCIDENTS () SECURITYFOCUS COM
Subject: FROM port 137 TO port 137


There seems to be a great deal of fear, panic, and confusion about packets
FROM port 137 TO port 137.

If you are getting a small number (say 4) packets per second FROM port
137, and TO port 137, this is not a denial of service. If that is all you
have, don't report it to the source ISP until you inspect the contents of
the packets and determine the real cause. Some issues to consider are
touched on below.

Let us consider some possible causes of traffic FROM port 137, and TO port
137.

1. This could be because the remote site has a worm similar to
Network.VBS, and is searching for MS Windows open shares

   http://www.sans.org/newlook/resources/IDFAQ/port_137.htm

2. However this COULD be *perfectly normal* if you make connections to
outside networks from your boxes that lack proper forward and reverse DNS
entries.

3. Also, if the remote site is using Black Ice Defender, their firewall
may be causing these packets, (after your box iniates a connection to
their network). The Black Ice firewall is only attempting to get the
Netbios host name for an IP that connected to their network to record
that data in their logs.


One of the best explanations for the port 137 traffic is:

  http://www.robertgraham.com/pubs/firewall-seen.html#10


Synopsis:

If, a box "YYY" on your network initiates a connection to a Win box "ZZZ"
(outside your net), the remote box "ZZZ" may attempt to resolve the IP
address of "YYY" by looking up the PTR record for "YYY" in your DNS. This
is a function call - gethostbyaddress().

If your DNS server does not supply a host name the IP address for "YYY"
within 14 seconds, the remote Win box "ZZZ" will attempt Netbios Name
resolution for "YYY" by asking "YYY" for Netbios "nodestatus" for the
nodename wildcard "*".

This behavior is "completely normal" for Windows boxes. If you don't like
it, either complain to Bill G, or block ports 135-139.

Silently blocking (droping) those packets is a bad thing to do. The proper
thing to do is send "icmp port unreach". Neither will stop the packets
from coming.

Providing proper reverse DNS for all the boxes on your network that will
connect to the outside will mean you are doing the right thing, and may
reduce some of this traffic.

-bryan bradsby
Previous By Date Next
Previous By Thread Next

Current thread: