Broadband Tech > Security > Security > Port 137 probes-anyone else?

Port 137 probes-anyone else?

Re: Port 37 probes-anyone else?

reply to JackCam614
Wish I could offer you some comfort, Jack, but I just checked Log Viewer and there are no attempts to Port 137 today at all. A handful to 139 and 80, and then others scattered about, but none to 137.
--
"...one nation under God, indivisible, with liberty and justice for all."

reply to JackCam614

said by JackCam614:

---

Hi,
Port 137, net bios, in my ZAF logs today. Since 7:00 this AM (9-28-02)I have recorded over 80, and they are still coming .
Jack

---

reply to JackCam614
Good evening Jack,
I too have been getting 137's the past 24 hrs. Got about 80 of em. Been getting hit hard this evening also.

reply to JackCam614

Re: Port 37 probes-anyone else?

reply to JackCam614
Chalk me up for 156 (!!!) UDP Port 137 scans in 24 hours.... There must be an easier way, but I actually hand counted them in my firewall log. What's UP WITH THIS?!
And BTW - Only 2 repeated IP addresses..... Every single one was a different IP address.... This is weird.
--
'Just because you're paranoid, don't mean they're not after you!!....'

reply to JackCam614
I too have been experiencing a barrage over the last 24 hours, some 280 all aimed at Port 137.

At least I now know I'm not alone.

reply to JackCam614
Hi all, many portscans from that on my system, first their origins moved with the sun over the timezones from Korea all around the globe till back there and now they really come from everywhere.
But i found something weird:
Wanting to know what it might be (remembering the CodeRed a year ago) i opened in TDS > Network > TCP Port Listen.
Believe it or not, but on my system this immediately stops the knocking! Only a few port 80 scans. Tried it several times closing and opening the port listen again on port 137 and each time a few minutes after closing the knocks started again.
So people with TDS might like to use this tip, other programs with the Port Listen function might give the same peace or grab your eval copy at the DCS site if you don't have it yet www.diamondcs.com.au. I've been puzzling why this works and my only conclusion can be UDP ports have most of time a TCP twin (look in netstat) but i would have loved to see the packets for some analysis.
I'm thinking of something coordinated like Kazaa: didn't they promise us a big p2p event to overtake the whole internet with that and use all our free CPU space for them?
Blocking the 135-139 ports in our firewall does not stop the knocking, but the "Port Listen" trick seems to do so.
Pity ShieldsUp tests not for 137 TCP/UDP; they should now!
Might be something complete different then Kazaa, i just don't know.
It's also nut just homeusers, it's companies, networks, internet cafes, unis, but mainly homeusers it seems.
Let's keep each other informed!
There might also be a connection with the hackers conference, enjoying themselves with a new toy, but if so, there would have been already something known around the internet.
Puzzling a lot! Looking forward to your finds.
BTW: we have a thread at wilderssecurity forum too,
»www.wilderssecurity.com/index.ph···did=3891 jumping to this one here.

It's a relief to know it's not just me! FWIW, I am getting a fairly large volume of udp port 137 scans from various places, mostly originating from udp port 1025, but a few 1026s and at least one or two from 1027. I have two IPs on my cable service sending me repeats every 15-45 minutes (can't find a pattern). I've notified someone with our service provider *waves to Stan* about the first one, but he has a friend now. The friend isn't quite as active, though.

I'm terribly ignorant of these things, but learning every day. Can anyone tell me if my free version of zone alarm would notify me if my machine started sending out scans from udp 1025? I have it set for high security.

Re: Port 137 probes-anyone else?

reply to JackCam614
Still coming fast and furious. In the 9 hours since my last post I've received a further 127 probes of Port 137 so whatever is causing this abnornal activity has not gone away.

reply to JackCam614
For me it's actually increased.

The rate is now (1) request
every 105 seconds.

As before all IPs are unique.

reply to JackCam614
I've seen only a single probe in the last 24 hours, and that on my port 139.
--
Mors Principium Est.

reply to JackCam614
I get about 15-20 a day.
--
MikeC

reply to JackCam614
This is really interesting. I haven't had ANY myself (seems to be all or nothing for folks in here). But the ICS is reporting a huge spike in hits for port 137. This was posted earlier, but look at it now:

»isc.incidents.org/

and the graph:

»isc.incidents.org/port_details.html?port=137

P.S. It's also being reported in some other newsgroups like Wilders & GRC

--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-09-29 20:19:13]

reply to dja

said by dja:

---

For me it's actually increased.

The rate is now (1) request
every 105 seconds.

As before all IPs are unique.

---

said by JackCam614:

---

It's odd that a couple of posters seem to be immune to this problem? Cable vs. DSL? Static vs. Dynamic?
New worm infecting unprotected machines?

---

quote:

---

It doesn't seem to be generating the concern I would have expected? (Though I am by no means suggesting I am panicking )

---

reply to JackCam614
Ok - to clarify. I am not getting a lot of the 137 probes. I am see a lot of port 443 and a number of sub7 Trojan port scans. Definitely not what my log usually looks like, just not 137's.
--
It takes a disaster to make a woman out of a female