Re: Rogue connections to netbios-ssn port

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/18/03


From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Tue, 18 Feb 2003 11:29:30 -0500


If you don't have a firewall, these connections are permitted [and worse
yet, you have no native log recording of where they came from]. You should
really have a firewall to block your computer from leaking information such
as user IDs and passwords to the internet to any interested party.

If you do have a firewall, I would question the manufacturer to find out why
it isn't working.

Netbios over TCP/IP is routable through routers. Neither the computer nor
the router knows or cares whether the router is an internet router or a
router on the LAN or WAN. In fact, if you look at www.incidents.org, you'll
see that this is one of the most commonly used and scanned ports on the
internet.

There are free firewalls out there, such as www.sygate.com and others.

http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#hacked

"Charles Harrison" <cah7k@virginia.edu> wrote in message
news:034f01c2d706$e330b170$a401280a@phx.gbl...
> I've been getting some strange connections to my netbios-
> ssn port. The connections come from outside of my
> network, which seems strange because I was under the
> impression that the port was only for local network use.
> I noticed a connection under the shares section of
> computer management to a resource called \PIPE\samr. I
> dont know what this could be. There is no resource \PIPE
> that I know of. The computer connected to it didn't show
> up having any username. Its computer name was FISCAL.
> The actual connection was from 207-245-81-34.wcmontco.org,
> the Women's Center of Montomery County in Jenkintown PA.
> Does anyone know what these connections could be, and what
> I can do to stop them?

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003


Relevant Pages

  • RE: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
    ... connections between multiple computers. ... A Linksys NAT router box is selling for only $40 at Amazon ... Besides protecting against the MSBlaster worm, a hardware ... Then the user finds about port forwarding, and as soon as the user ...
    (Full-Disclosure)
  • RE: FTP Window of opportunity?
    ... does it seemingly accept the connections and drop them once the response ... Subject: FTP Window of opportunity? ... blocked by the firewall. ... the FTP port shows up. ...
    (Pen-Test)
  • RE: an error in the NMAP docs?
    ... normal "non-passive" FTP connections create a connection FROM the server ... FROM port 20 back to an ephemeral port on the client for data transfers. ... "Many naive firewall and packet filter installations make an exception ... Earn your MS in Information Security ONLINE ...
    (Security-Basics)
  • Re: sporatic VPN problem
    ... It looks like it might have been the port count. ... I bleieve the router in the satelite office is a Linksys VPN router but I ... many connections as you're supporting. ...
    (microsoft.public.windows.server.sbs)
  • Re: incoming connection port 80
    ... uTorrent can handle this (by using port 80 or 443). ... connections if ports are blocked? ... does indeed require that the router _somehow_ be configured to forward ... nothing you can do short of changing the firewall configuration is ...
    (comp.lang.java.programmer)