RE: UDP Port 137 Question
From: Darrell Porter (dporter_at_cpp.com)
Date: 01/28/04
- Previous message: Jean-Paul Baillon: "RE: security advice"
- Maybe in reply to: John Smithson: "UDP Port 137 Question"
- Next in thread: Patrick A. Middleton: "RE: UDP Port 137 Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'JGrimshaw@ASAP.com'" <JGrimshaw@ASAP.com>, Darrell Porter <dporter@cpp.com> Date: Tue, 27 Jan 2004 19:13:07 -0800
Well, the real solution is to stop running Microsoft operating systems. :P
Seriously though, constant vigilance is a good start. If you maintain a
baseline of the activity your servers do normally, you can more easily spot
abnormalities before they cause you too much grief (or as happened to one of
my colleagues, before the FBI comes knocking on your door for having a
machine that continuously tried hacking them).
Darrell Porter
Director of Network Operations
CPP, Inc.
Davies-Black Publishing
http://www.cpp.com
800-624-1765
This email, and any files transmitted with it are confidential and intended
solely for the use of the addressee. This email may contain information
protected by attorney-client privilege. If you are not the intended
addressee, then you have received this email in error and that any use,
dissemination, forwarding, printing, or copying of this email is strictly
prohibited.
CPP, Inc. will not be held liable to any person resulting from the use of
any information contained in this email. CPP, Inc. will not be liable to any
person who adds or deletes information contained in this email, and will not
be held liable to any person as a result of any additions or deletions of
information originally contained in this email.
If you received this e-mail in error or are not the intended recipient of
this message, contact the sender, darrell.porter@cpp.com and destroy all
copies of this e-mail, including any printed or other physical format.
This e-mail, and any files transmitted with it contain information that is
CONFIDENTIAL AND PROPRIETARY to CPP, Inc. Unauthorized disclosure of this
information is in violation of the policies and procedures of CPP, Inc. and
the laws of the State of California (California Penal Code Section 502) and
the United States of America (title 18 - Chapter 47, Section 1030) and
international statues and is subject to criminal and civil penalties. All
information displayed, transmitted or carried on the CPP, Inc. network (CPP)
including, but not limited to, files, e-mail messages, directories, guides,
news articles, opinions, reviews, text, photographs, images, illustrations,
audio clips, video clips, trademarks, service marks and the like,
(collectively the "Content") is protected by copyright and other
intellectual property laws.
-----Original Message-----
From: JGrimshaw@ASAP.com [mailto:JGrimshaw@ASAP.com]
Sent: Tuesday, January 27, 2004 6:21
To: Darrell Porter
Cc: security-basics@securityfocus.com
Subject: RE: UDP Port 137 Question
Thanks Darrell,
That's what I had thought (and posted my views) but the original poster (
"John Smithson" <why1234@hotmail.com>) had never said what the resolution
was. There were a number of replies that correlated with the netbios, and
others that said it may be a virus. I was just curious to see what the
actual problem was.
I posted my request for a resolution to the group, as I do not seem to get
all of the mailing list messages or I get them very delayed sometimes. I
didn't want to miss out on it!
Darrell Porter <dporter@cpp.com>
01/26/2004 09:20 PM
To
"'JGrimshaw@ASAP.com'" <JGrimshaw@ASAP.com>
cc
security-basics@securityfocus.com
Subject
RE: UDP Port 137 Question
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
will be most enlightening.
Computer Browser
The Computer Browser system service maintains an up-to-date list of
computers on your network and supplies the list to programs that request
it.
The Computer Browser service is used by Windows-based computers to view
network domains and resources. Computers that are designated as browsers
maintain browse lists that contain all shared resources that are used on
the
network. Earlier versions of Windows programs, such as My Network Places,
the net view command, and Windows Explorer, all require browsing
capability.
For example, when you open My Network Places on a computer that is running
Microsoft Windows 95, a list of domains and computers appears. To display
this list, the computer obtains a copy of the browse list from a computer
that is designated as a browser.
System service name: BrowserApplication protocol Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Name Resolution TCP 137
NetBIOS Session Service TCP 139
-----Original Message-----
From: JGrimshaw@ASAP.com [mailto:JGrimshaw@ASAP.com]
Sent: Monday, January 26, 2004 9:11
Cc: security-basics@securityfocus.com
Subject: Re: UDP Port 137 Question
Hi everyone,
I am curious as to what the resolution for this was.
I did not receive a message that "X" fixed it; did anyone receive one?
Gurus,
I have couple of servers that are constantly trying to go outbound on UDP
Port 137 (Nbname). The event is occurring 4-5 times per second. All
outbound traffic is being dropped by my firewall. However, I am just
trying
to find out what is the reason -
I have AV on the server with latest definition - I have ran manual AV Scan
-
I have ran Welchia / Nimda / etc removal tool - I have ran Spyware removal
tool - All of them comes up clean. The outbound address are for example:
156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 -- 145.46.77.202-241
-
There are more of these network ranges ( I have already done whois on all
these IP range)
Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest HF.
Please help me to isolate what I am facing? This should not be a normal
Traffic Pattern, since only couple of my servers are producing this
traffic
TIA
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
- Previous message: Jean-Paul Baillon: "RE: security advice"
- Maybe in reply to: John Smithson: "UDP Port 137 Question"
- Next in thread: Patrick A. Middleton: "RE: UDP Port 137 Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
