Re: Listener on ports 137, 138, 139

From: Matt (matts2424@socket.net)
Date: 10/16/02


From: "Matt" <matts2424@socket.net>
To: <security-basics@securityfocus.net>
Date: Wed, 16 Oct 2002 14:42:57 -0500

Hello!

What you are describing is not a virus or backdoor.
These listening connections are initiated by default whenever you have
Windows file and printer sharing installed and running. They are all a part
of the NETBIOS protocol which is used to support file and printer sharing.

They listen prior to you connecting to the ADSL, because they are set as
listening immediately when you enter Windows.
Port 137 is Netbios NAME, 138 is Netbios DATAGRAM, and 139 is Netbios
SESSION, and none of them are anything to be worried about (Except, read
below)

Netbios is mostly used for local area networks and works independent to your
ADSL (Though netbios can work over wide area networks as well).
If you are not using file or printer sharing on your computer, then it is
safe AND wise to turn off this service. Misconfigured file and printer
sharing can allow anyone over the internet to access files, and do almost
anything you can do to them if you have any folders on your computer shared,
and many of the recent worms have done just that.

Here is a helpful website on turning it off if you wish to.

http://help.twspeed.com/security/pfsharingwindows.asp

Hope this helps.

-Matt

----- Original Message -----
From: "Rune Berntzen" <rbern8@online.no>
To: "Security Basics" <security-basics@securityfocus.com>
Sent: Tuesday, October 15, 2002 12:27 PM
Subject: Listener on ports 137, 138, 139

> Hi all,
>
> When checking port activity using TCPView I notice that I have a =
> listener on ports 137,138 and 139.
> The Local Address seems to be from a Class B network, 169.254.0.0, =
> which I trace to something called=20
>
> BLACKHOLE-1.IANA.ORG
>
> using SmartWhois.
>
> The funny thing is that the LISTENING entries are visible in TCPView =
> even before I connect to my ADSL provider.
>
> Anybody has an idea about what this can be.
>
> BTW, I am running Norton Internet Security 2001 with updatet virus =
> definitions.
>
> Thanks in advance,
> Rune



Relevant Pages

  • RE: nc help needed.
    ... on the box where nc is listening for incoming connections on ... -s says "bind netcat to port X on local IP address Y." ... This overrides NetBIOS binding to "all". ...
    (Security-Basics)
  • Re: Netstat -an on ISA 2004
    ... For port 139 on external, I confirm that File and Printer Sharing are ... Why is it still listening on it and is there anything ... Gruss Jens ...
    (microsoft.public.isa)
  • Re: Best Plan of action for 2 forest.......
    ... PortQry reports the status of a port in one of the following ways: ... ..LISTENING This response indicates that a process is listening on the target ...
    (microsoft.public.windows.server.active_directory)
  • Re: RealVNC
    ... If we are talking about RealVNC it goes this way ... Then there is default Java listening port on port 5800 on the client machine ...
    (microsoft.public.windows.server.sbs)
  • Re: RIP issue with HMC - security violation?
    ... using an UDP port, 520, which would normally imply that there was a Routing ... Information Protocol (RIP) process behind it capable of modifying the routing ... as a "listening" state for the application. ...
    (bit.listserv.ibm-main)