Port 137: Hit parade

vanity ^ | 2-4-2003 | self

[Bogey78O]

I keep getting hits on port 137 from places in South America and the Middle East. Normally I don't care as my router shirks it off. But in the past hour or so I've been getting so many hits it's starting to slow down my connection.

I signed off and signed back on with a new IP address and it's helped since I've only gotten 2 hits since then in the past few minutes. Has anyone else been getting these hits? It seems like it's mainly coming in from Monterrey and Abu Dhabi. But I'm guessing it's via a proxy server.

[Bogey78O]

Anyone else been getting this or is it just a conspiracy against me?

[Bush2000]

Nope. Have you sent mail to the ISP/host? They may not even realize they're zombified.

[Redcloak]

These hits are mostly from boxes infected with Bugbear and similar worms. The worm actively searches for computers to hack into in addition to more traditional infection techniques. Hits to port 137 acount for the lion's share of port hits...

I get dozens of hits per day on port 137.

[Bogey78O]

So far it's been a few different places.

San Pedro, Monterrey, and a girls school in Abu Dhabi are the consistant ones.

Think they would take action if I sent an email? Think they'd speak the language?

[Bogey78O]

Thanks. I guess they just got my IP range in their sites now.

[SpeakLittle_ThinkMuch]

Just checked and I've had 99 137 hits since 8am. 'Bout average for 8 hours.

[Bush2000]

Think they would take action if I sent an email? Think they'd speak the language?

They might. I think it's worth doing, considering that they may not even be aware that they're infected. You could even include a link to Symantec's Antivirus scanner (if they're really clueless):

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=64&EID=0

[steplock]

Click here: 1. Security Test from ShieldsUp!

[opticoax]

They're looking for open shares or enumerating active IP addresses and computer names. Port 137 is the NetBios port. Go to www.incidents.org for a look at the most attacked ports and the countries they are coming from.

[TechJunkYard]

I've gotten about 80 since yesterday... I block from 135 thru 139 and I count but do not log them.

[TechJunkYard]

Port 137 is the NetBios port.

It's the Netbios nameserver port. Probing port 137 is the first step in the exploitation of open Windows shares.

[Boundless]

> Go to www.incidents.org...

Specifically: http://isc.incidents.org/analysis.html?id=170

Quoting:
"We now believe that these port 137 scans are due to the 'Bugbear' mass mailing virus and the 'Scrup' worm."

[TechJunkYard]

Might be a new outbreak?

http://www.mynetwatchman.com/tp.asp

[js1138]

My response to the shields up probe:

It means that either your computer is turned off or disconnected from the Net (which seems unlikely since you must be using it right now!) or an effective stealth firewall is blocking all unauthorized external contact with your computer. This means that it is completely opaque to random scans and direct assault. Even if this machine had previously been scanned and logged by a would-be intruder, a methodical return to this IP address will lead any attacker to believe that your machine is turned off, disconnected, or no longer exists. You couldn't ask for anything better.

There's one additional benefit: scanners are actually hurt by probing this machine! You may have noticed how slowly the probing proceeded. This was caused by your firewall! It was required, since your firewall is discarding the connection-attempt messages sent to your ports. A non-firewalled PC responds immediately that a connection is either refused or accepted, telling a scanner that it's found a live one ... and allowing it to get on with its scanning. But your firewall is acting like a black hole for TCP/IP packets! This means that it's necessary for a scanner to sit around and wait for the maximum round-trip time possible — across the entire Net, into your machine, and back again — before it can safely conclude that there's no computer at the other end. That's very cool.

Thanks. BTW the firewall is a D-Link DFL-300 ($300) intended for a small business. We have a Win2K domain server running Exchange and SQL Server and Terminal Server. I've never installed a firewall before, so it took a couple of days to get everything working, but it passed this and other security checks, not to mention last weekend.

[js1138]

Things were pretty quiet until I strated looking at this thread. Now the log is full of drops.

[Boundless]

> Might be a new outbreak?

So it would seem.
I drilled down to this fascinating comment...

"Starting in early October 2002, the W32.Opaserv worm was released. Since it's release we have seen more than 1,500,000 unique source addresses emit udp/137 probes. Because of the sheer volume of infected hosts currently on the Internet, we estimate that every single IP address is attempted to be infected with Opaserv about once every *5 minutes*. This means that if you connect a vulnerable host to the Internet (even on a dialup connection with a dynamic IP address) you will likely be infected almost immediately.

If anyone is reading this on a Windows PC, doesn't have a HARDWARE firewall, hasn't run an AV scan with current defs in the last week, and doesn't know what we're talking about, your machine is probably already one of the 1.5 million compromised (infected) PCs.

[Faith65]

If I use Mcafee or Norton systems for security-- okay or should I use another one?

[Boundless]

> If I use Mcafee or Norton systems for security-- okay or should I use another one?

If your anti-virus definitions are up-to-date (and Symantec posts new LiveUpdate defs on Wednesdays), and if you've run a complete system scan in the last 10 days or so, and no problems have been found, then your security configuration is probably adequate. Update and run a scan tomorrow.

If you have been hit; even if you clean it up, you'll get hit again quickly. Engage a local geek to inspect your situation. There are too many variables to attempt it via email, much less via responses to this thread! Besides which, I know just enough about it to keep my own PCs safe.

[steplock]

norton, etc are good antivirus, but the Firewall is a seperate piece of software (available from most manufacturers).

I prefer Zone Alarm which provides, so far, 100% firewall protection:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

BUt with a good (UPDATED) antivirus, a good firewall, AND a good scum-warez remover (Ad-Aware), you should have no worry.
http://lavasoft3.element5.com/
Their New free version isn't released yet, but their Paid Version is an excellent buy at $26.95 at
http://lavasoft3.element5.com/purchase/home/

Oh! I forgot...GOOD common sense!

[Boundless]

> norton, etc are good antivirus, but the Firewall is a seperate piece of software (available from most manufacturers).

ZoneAlarm won't necessarily save you if you have the NetBIOS port open, which is often the case by default on Windows.

I have ZA Pro, and I have some logical drives open for sharing across the home network. Although ZA can block access from the world beyond, and still allow local access, it takes more knowledge than the average user has or wants to obtain.

So we also have a hardware firewall (dial-up router).

Don't treat Zone Alarm as if it were a hardware firewall, unless you're willing to learn quite a bit about basic TCP/IP addressing and routing.

And unless you have a valid reason for file sharing, turn it off on all your physical and logical drives.
In WindowsExplorer
right-click on each drive, then:
>Tools>Sharing
(*) Not Shared

If you have even one drive open, the NetBIOS port will be accepting connection attempts. And since we don't have access to Microsoft source code, I wouldn't assume that the port monitor code is robust and would ignore buffer-overflow or other exploits.

> Oh! I forgot...GOOD common sense!

As the SQL worm just showed us, even IT professionals don't necessarily have common sense. Even if they had reason to ignore the patch, and then the SP, why was port 1434 open to the world?