Re: Listener on ports 137, 138, 139

From: Matt (matts2424@socket.net)
Date: 10/16/02


From: "Matt" <matts2424@socket.net>
To: <security-basics@securityfocus.net>
Date: Wed, 16 Oct 2002 14:42:57 -0500

Hello!

What you are describing is not a virus or backdoor.
These listening connections are initiated by default whenever you have
Windows file and printer sharing installed and running. They are all a part
of the NETBIOS protocol which is used to support file and printer sharing.

They listen prior to you connecting to the ADSL, because they are set as
listening immediately when you enter Windows.
Port 137 is Netbios NAME, 138 is Netbios DATAGRAM, and 139 is Netbios
SESSION, and none of them are anything to be worried about (Except, read
below)

Netbios is mostly used for local area networks and works independent to your
ADSL (Though netbios can work over wide area networks as well).
If you are not using file or printer sharing on your computer, then it is
safe AND wise to turn off this service. Misconfigured file and printer
sharing can allow anyone over the internet to access files, and do almost
anything you can do to them if you have any folders on your computer shared,
and many of the recent worms have done just that.

Here is a helpful website on turning it off if you wish to.

http://help.twspeed.com/security/pfsharingwindows.asp

Hope this helps.

-Matt

----- Original Message -----
From: "Rune Berntzen" <rbern8@online.no>
To: "Security Basics" <security-basics@securityfocus.com>
Sent: Tuesday, October 15, 2002 12:27 PM
Subject: Listener on ports 137, 138, 139

> Hi all,
>
> When checking port activity using TCPView I notice that I have a =
> listener on ports 137,138 and 139.
> The Local Address seems to be from a Class B network, 169.254.0.0, =
> which I trace to something called=20
>
> BLACKHOLE-1.IANA.ORG
>
> using SmartWhois.
>
> The funny thing is that the LISTENING entries are visible in TCPView =
> even before I connect to my ADSL provider.
>
> Anybody has an idea about what this can be.
>
> BTW, I am running Norton Internet Security 2001 with updatet virus =
> definitions.
>
> Thanks in advance,
> Rune