Re: Massive Port 137 Access Denials
From: David (davidwnh@adelphia.net)
Date: 12/06/02
- Next message: Alsvik Ture: "Norton Personal Firewall 2003"
- Previous message: David: "Re: How to configure Zone Alarm to allow FTP?"
- In reply to: NeoSadist: "Re: Massive Port 137 Access Denials"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David" <davidwnh@adelphia.net> Date: Fri, 06 Dec 2002 22:08:15 GMT
Port 137 is used for the NetBios name service. It is generally used to
register or lookup computer names on a Microsoft network. By itself it is
not necessarily an "attack", however it is used to identify your computer or
the computers within a network so that further access can be gained. You
will see this on the internet for several reason. Worms and hackers will do
a name lookup since it is often the first step to setting up a session to
gain access to file shares or other NetBIOS services that are running on a
computer or network. Hackers and script kiddies will scan this port to see
if you have NetBIOS running and exposed to the internet. Some websites or
internet services you visit will perform a NetBIOS Lookup to Identify you in
their access logs. If your ISP doesn't use reverse lookup tables you will
get more Netbios lookups than others, from other systems that are logging
access via their firewalls or services. Also if you are allowing NetBIOS
lookups out from your own computer you will be receiving responses to these
requests. Zone Alarm for example will do a NetBIOS lookup for its log if the
reverse DNS lookup fails so if you allow these to pass out you will be
getting responses for many of them.
That being said if you are not allowing traffic to pass out on Port 137,
many if not most of these are probably being generated by the various worms
circulating the internet these days. Be sure to have ports 137-139 and 445
TCP & UDP blocked inbound and outbound; and unbind NetBIOS over TCP/IP, File
and Print Sharing, and the Client for Windows Networking
from your internet adapter if your setup allows.
Then you can discard any concern as to the presence of such log entries.
> > I've noticed this past week that Zone Alarm is rejecting large amounts
> > of attempts to acess my computer through port 137 - it's averaging
> > several attempts per minute, for most or all of 24 hours/day. It may
> > have been going on for some time, and I just haven't noticed.
> >
> > What does port 137 do or have access to? Is this a real attack on my
> > computer? The source addresses seem to be different for each attempt.
> >
> > Can anyone give me an insight on what's happening here?
> >
> > Frank
> >
- Next message: Alsvik Ture: "Norton Personal Firewall 2003"
- Previous message: David: "Re: How to configure Zone Alarm to allow FTP?"
- In reply to: NeoSadist: "Re: Massive Port 137 Access Denials"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
