dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1480
share rss forum feed

Al1776

join:2004-04-28
Fair Oaks, CA

Network security advisory from AT&T - about NetBIOS?


My 88 year old mother in Palm Beach Florida (BellSouth area) with plain old DSL has gotten 2 of these notes in the past day. Can anyone tell me what this is all about? Maybe a phish, although there are no suspicious links. She does NOT have a router, just a plain old ATT supplied modem (which I think is a one-port router.) Should I do anything? Is this serious. (She only uses her iMac for email and web.) Thanks.

Al

=========
(I took out the IP address for security although probably not necessary.)

Dear (mother's name)

AT&T has received information indicating that one or more devices using your Internet connection may have NetBIOS services exposed to the Internet. This usually means that the firewall on your router, wireless router, or computer is disabled or misconfigured. The IP address 65.X.XXX.XX was observed responding to NetBIOS requests on port 137/udp on Jul 30, 2014 at 10:56 PM EDT. Our records indicate that this IP address was assigned to you at this time. More details appear below.

For security and privacy reasons, NetBIOS services should not be made available from the public Internet. They can be used to gain information about your computers, and can also be used by malicious actors to perform denial of service attacks. Please ensure that the firewall is enabled on your router or computer, and that inbound and outbound traffic on the affected ports are blocked (135/udp through 138/udp, 445/udp, and 139/tcp for Microsoft Windows; see details below for additional ports that may need to be blocked).



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

Without the full headers, I can't take a stab at the authenticity of the e-mail. AT&T blocks port 139 inbound and outbound on dynamic residential accounts by default, per this FAQ:

»AT&T Northeast (SNET) DSL FAQ »What, if any, ports are blocked?

AT&T accounts are subject to phishing attacks:

»/phishtrack?pcat=52

As well as submitting to "Phishtracker", I submit my phish to Spamcop.net in, possibly vain, hope that the notifies will result in phishing site takedowns. This is the Spamcop.net parse of my "Yahoo! Security" phish; which includes a header analysis:

»www.spamcop.net/sc?id=z593550077···5784a37z
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Al1776

said by Al1776:


My 88 year old mother in Palm Beach Florida (BellSouth area) with plain old DSL has gotten 2 of these notes in the past day. Can anyone tell me what this is all about? Maybe a phish, although there are no suspicious links. She does NOT have a router, just a plain old ATT supplied modem (which I think is a one-port router.) Should I do anything? Is this serious. (She only uses her iMac for email and web.) Thanks.

You answered your own question, her AT&T supplied "modem" is probably a DSL router. To my knowledge, AT&T has not supplied anything but DSL routers to their customers for over a decade, and the default configuration will block all unsolicited inbound traffic. The fact that she is using a Mac also says that having a NetBIOS port open to the Internet is very unlikely. If there is any doubt, have her go to the GRC ShieldsUP! site and select the "File Sharing", "Common Ports", and "All Service Ports" tests.




My bet is that everything will show up as stealth (except possibly the "ping" test, which is nothing to worry about). But you can post back here with the results if there is anything that concerns you.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

said by NetFixer:

To my knowledge, AT&T has not supplied anything but DSL routers to their customers for over a decade, and the default configuration will block all unsolicited inbound traffic.

I received a SpeedStream 4100 in 2005. Two relatives also, shortly thereafter. A friend received one of the early Motorola 2210s when she signed up for AT&T DSL service. Possibly as late as 2009. The SpeedStreams, since the 5100b, and the Motorolas were, essentially, one-port routers with a DHCP scope of one device; handing out 192.168.1.64 to the first device connected. This single IP address was effectively in the DMZ. When setting up the relatives, I manually assigned a different private IP address than the default 192.168.1.64 to take advantage of the NAT property of not forwarding unsolicited traffic from the public Internet. My friend bought a router, so I didn't get so fancy with her rig.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by NormanS:

said by NetFixer:

To my knowledge, AT&T has not supplied anything but DSL routers to their customers for over a decade, and the default configuration will block all unsolicited inbound traffic.

I received a SpeedStream 4100 in 2005. Two relatives also, shortly thereafter. A friend received one of the early Motorola 2210s when she signed up for AT&T DSL service. Possibly as late as 2009. The SpeedStreams, since the 5100b, and the Motorolas were, essentially, one-port routers with a DHCP scope of one device; handing out 192.168.1.64 to the first device connected. This single IP address was effectively in the DMZ. When setting up the relatives, I manually assigned a different private IP address than the default 192.168.1.64 to take advantage of the NAT property of not forwarding unsolicited traffic from the public Internet. My friend bought a router, so I didn't get so fancy with her rig.

Interesting. I never noticed any of the BellSouth/AT&T supplied single port DSL routers having a device setup in a DMZ by default; not even the brain dead SBC inspired devices that only allowed one DHCP assigned device to be attached. But that would most likely be firmware version dependent, and I probably just never ran across those devices that setup a default DMZ. And most of my clients who were also AT&T customers were business class AT&T customers, and they usually were given more advanced Motorola 224x or 334x series routers, so I was not exposed very much to the residential account customers.

In any event, if the OP's mother goes to GRC, that should definitively tell if she actually has NetBIOS ports exposed to the Internet.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


JamesPaul108

@107.15.146.x
reply to NetFixer

Thanks much! I got a nearly identical email from netsec@att.net as the one that someone above posted about, and was concerned that my Mac might be insecure. I ran the three tests that you recommended, and was informed that the Ping echo test failed - my Mac apparently responded to the Pings. I checked my firewall settings, and my firewall is on and Stealth mode is enabled, so I'm not sure why my Mac responded to Pings. In any case, you said that was not a problem. Wonder if you could comment on why responding to pings is not worrisome?

Again, I appreciate knowing about the GRC ShieldsUP! site.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

The theory is that not responding to "ping" tells the hacker that there is nothing interesting at that IP address.

In practice, hackers don't care. I would help a friend, from time to time. I set his equipment up, per his request, to not respond to "ping". By contrast, in order to participate in a DSLR group monitor, my own equipment responds to "ping".

In comparing the two system logs, the only difference was that I got more attempts on port 25 than he did. Otherwise the logs looked very similar.

Nothing about responding to "ping" makes port 25, "interesting"; but having a published MX record will guaranty attempts to connect via port 25.

Here is my group monitor:

»/testhistor···41472000
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to JamesPaul108

said by JamesPaul108 :

Thanks much! I got a nearly identical email from netsec@att.net as the one that someone above posted about, and was concerned that my Mac might be insecure. I ran the three tests that you recommended, and was informed that the Ping echo test failed - my Mac apparently responded to the Pings. I checked my firewall settings, and my firewall is on and Stealth mode is enabled, so I'm not sure why my Mac responded to Pings. In any case, you said that was not a problem. Wonder if you could comment on why responding to pings is not worrisome?

Again, I appreciate knowing about the GRC ShieldsUP! site.

If your Mac was behind a router, then it was your router that was responding to the ping test, not your Mac. If it was your Mac, then you had a firewall setting that was allowing it to respond to inbound ICMP echo packets. Some firewalls and routers block incoming ICMP traffic by default, and others allow selected ICMP packets by default.

The reason I don't worry about responding to pings is illustrated below:

C:\>ping www.dslreports.com
 
Pinging www.dslreports.com [64.91.255.98] with 32 bytes of data:
 
Reply from 64.91.255.98: bytes=32 time=35ms TTL=54
Reply from 64.91.255.98: bytes=32 time=35ms TTL=54
Reply from 64.91.255.98: bytes=32 time=36ms TTL=54
Reply from 64.91.255.98: bytes=32 time=35ms TTL=54
 
Ping statistics for 64.91.255.98:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 36ms, Average = 35ms
 
C:\>ping www.grc.com
 
Pinging www.grc.com [4.79.142.202] with 32 bytes of data:
 
Reply from 4.79.142.202: bytes=32 time=70ms TTL=243
Reply from 4.79.142.202: bytes=32 time=70ms TTL=243
Reply from 4.79.142.202: bytes=32 time=70ms TTL=243
Reply from 4.79.142.202: bytes=32 time=70ms TTL=243
 
Ping statistics for 4.79.142.202:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 70ms, Maximum = 70ms, Average = 70ms
 

The operator of this site is not worried about pings, and apparently neither is Steve Gibson, the operator of the GRC ShieldsUP! site (despite his warnings to the users of the ShieldsUp! tests). A ping asks "Anybody Home?", and the reply can be "Yes", or "Silence". Back when dial-up Internet access was king, hackers would usually ping an IP address before starting a port scan simply because of the slowness of the dial-up connection, so not replying to a ping provided a small amount of "security by obscurity". These days with high speed broadband being common, most port scanners don't even bother with the initial ping test, they just go ahead and scan for the ports that interest them.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


JamesPaul108

@107.15.146.x

I understand. Thanks for taking the time to explain

I see. Yes, I am behind a router, so it had to be the router that responded to the ping (given my firewall setting).

And thanks for the explanation about hackers scanning ports without getting an echo back. I see, I'm not any less safe just because my equipment responded to a ping. I appreciate the explanation.



JamesPaul108

@107.15.146.x
reply to NormanS

Re: Network security advisory from AT&T - about NetBIOS?

I understand now. Thanks for the reply.



mixdup

join:2003-06-28
Birmingham, AL
Reviews:
·Charter
reply to JamesPaul108

said by JamesPaul108 :

Thanks much! I got a nearly identical email from netsec@att.net as the one that someone above posted about, and was concerned that my Mac might be insecure. I ran the three tests that you recommended, and was informed that the Ping echo test failed - my Mac apparently responded to the Pings. I checked my firewall settings, and my firewall is on and Stealth mode is enabled, so I'm not sure why my Mac responded to Pings. In any case, you said that was not a problem. Wonder if you could comment on why responding to pings is not worrisome?

Again, I appreciate knowing about the GRC ShieldsUP! site.

Did the notice about your Mac mention NetBIOS? Because be default a Mac would not be responding to NetBIOS queries, you'd have to explicitly do some things to make that happen.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to JamesPaul108

Re: I understand. Thanks for taking the time to explain

said by JamesPaul108 :

I see. Yes, I am behind a router, so it had to be the router that responded to the ping (given my firewall setting).

Now that you have confirmed that you use a router, there is another tidbit of information that you may find interesting; it was also most likely that it was entirely the router's firewall that you were testing at the GRC site, not your Mac's firewall. In other words, you could (temporarily) disable the Mac's firewall and run the tests again, and most likely still get the same results from the GRC tests.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


KA0OUV
Premium
join:2010-02-17
Jefferson City, MO

1 recommendation

reply to Al1776

Re: Network security advisory from AT&T - about NetBIOS?

My Sister's AT&T provided modem is not a true router, but just operating in bridged mode. I ended up getting her and an Aunt (Both on AT&T in former SBC territory) inexpensive netgear routers JUST to have a true firewall between them and the internet. Even if the mac is not actually responding to true NetBIOS, there may be other things in play. The folks over at »/ have some other possibilities:

»OS X UDP Port 137, 138, 139 Kill



johnanon

@144.160.226.x

Wondering if anyone has run (from command line) " netstat -b " to see if there are any suspicious connections in there?