Curiosities of port 137 - For Newbies - Security

Author	All Replies
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	Curiosities of port 137 - For Newbies VSantivirus no. 212 - Year 5 - Mondays 5 of February of 2001 Curiosities of port 137 Perhaps, more once we have noticed ourselves that a mysterious port 137 tries to connect itself from or towards our computer, still having installed a fire-resistant one, with the corresponding warning. Each computer connected to a network or Internet, is identified by a direction IP (Internet Protocol). This direction IP is a number, four separated digits by a point: 192.168.52.1 for example). In order to facilitate us the life, since otherwise the amount of directions IP that we would have to remember whenever we wanted to connect itself to a site, that is to a machine in Internet, would surpass the most populated with the telephone agendas, the names of dominion and names of host were created. Instead of remembering a number like 67,58,117,200, it is easier to remember a dominion like www.dominio.com. to translate these names of dominion to direction IP, a called service DNS is in charge (Domain name server) (To see: VSantivirus no. 211 - Year 5 - Domingo 4 of February of 2001, " On vulnerabilities BIND "). This service, uses port 53 generally to communicate. Nevertheless, Windows maintains its own system to translate a direction IP in a "name of Windows". These names, are used generally to identify other computers that share archives through a network. Peculiarly, Windows also tries to obtain a "name of Windows" of any other computer that tries to connect itself with him. The result, is that Windows has the habit "to drill" port 137. Therefore, some fire-resistant ones, can give to constants alarms or leave in their archives logs, references to the use of port 137. The majority is produced by this curiosity of Windows. This does not represent an attack evidence none. Nevertheless, if also accesses to port 139 in addition to the 137 happen, if we would have to worry, because it could be an evidence of which somebody tries to connect itself to our computer to accede to the archives that we have in our shared resources.
	to forum · permalink · 2002-09-30 12:56:42 ·
NetWatchMan Premium,VIP join:2001-03-13 Alpharetta, GA	> The majority is produced by this curiosity of Windows. This is a ludicrious generalization. This author tries to make it seem normal for Windows systems to sending Netbios name lookups all over the Internet...that is definitely NOT the case. The only servers that do this are ones which have Netbios bound to their public Internet interface...which is in most a configuration oversight...or if it MUST be bound, then such outbound probes should be blocked by the user's firewall. The current propagation of serious worms (e.g. Acebot, Pubstro activities, FunLove, etc..) should be strong enough evidence NOT to write off udp/137 scans as "normal". [text was edited by author 2002-09-30 13:19:26]
	to forum · permalink · 2002-09-30 13:19:04 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	reply to Name Game No Larry he is just stating how it all happens if you do NOT take care of the "problem" and leave it up to windows. And he is not blowing off the current probes you are seeing..he is outlining the background of why anyone would even go after a windows box in the first place. Now..he wrote that piece back in Feb 2001. What we are facing today is..... _______________________ VSantivirus no. 814 - Year 6 - Mondays 30 of September 2002 The ISC notices on increases from escaneos port 137 »www.vsantivirus.com/30-09-02.htm By Jose Luis Lopez videosoft@videosoft.net.uy In the last days, Internet Storm Center (ISC), the center of alert of the Sans Institute, that permanently monitorea all activity through Internet, has noticed an unusual increase from escaneos in port 137 (UDP). Udp (Universal Data Packet), is a transport protocol of datagrams, that is of the small packages that form the information that is transferred of and towards our computer through Internet. That these packages appear by port 137, in principle is not nothing unusual. Windows uses east port for its service "To share printers and archives for Microsoft networks" through NetBEUI (an own implementation of NETCBios), when translating a direction IP in a "name of Windows". Each computer connected to a network or Internet, is identified by a direction IP (Internet Protocol). This direction IP is a number, four separated digits by a point, like for example: 192.168.52.1. Single to make us the task easier of remembering the direction of a machine, this one also can have a name (names of dominion and names of host). In order to associate a direction IP of a name, so that when keying in for example ' vsantivirus.com' our computer is connected with the one of the servant of our site (that has its own direction IP), a called service DNS exists (Domain name server). This service, uses port 53 generally to communicate. These names, are used generally to identify other computers that share archives through a network. Peculiarly, Windows also tries to even obtain a "name of Windows" of any other computer that tries to connect itself with him, from Internet. The result, is that Windows has the habit "to drill" port 137, trying to solve a direction IP or a name of dominion, when the request to servant DNS fails or surpasses a certain time. Nevertheless, in addition to this activity that can be considered normal, an increase from escaneos in port 137 also can indicate a first step to accede to the shared resources of our computer, on the part of an attacker. This is almost always thus, if those escaneos are followed by others port 139, used to accede to those resources. Worms very well-known and BOTS also exist that try to accede to a computer that maintains this front door open. A BOT is a copy of a user in a channel of IRC, generated almost always maliciously by a program, and prepared to respond the commandos who an attacker sends to them in remote form. Even, taking advantage of machines users who have connections of broadband during the 24 hours, many Warez pages exist (those that distribute illegal software), that stores programs in machines of users that ignore it, eluding that way the laws of their countries, and involving innocents. All it evidently increases the activity in ports 137 and 139. Software like the BOTS, escudriñan the networks and subnetworks in sequential form, and when these networks are extensive, the use of port 137 can reach well-known high proportions in the statistics of monitoreo of sites like the ISC. At the moment, this increase of this activity seems to aim at this explanation, according to affirms the own ISC in its last report. And it adds in addition, that in spite of it, no of the decoys that constantly are monitoreados, has been harmed with some other attempt of access that seems to be related. Of any way, the Internet Storm Center remains alert by any other activity that could mean for example, the appearance of some new worm. The ISC requests in addition, that any person who could have indications of some other activity outside the normal thing related to this port, sends a report to them to the direction isc@incidents.org (in English). At domestic level, the installation of fire-resistant ones as ZoneAlarm is sufficient to block all malicious attempt to the mentioned ports. [text was edited by author 2002-09-30 13:58:45]
	to forum · permalink · 2002-09-30 13:38:46 ·

skatetech Aka Dillhole Premium join:2002-07-31 Louisville, KY	reply to Name Game Thank you two for the information.
	to forum · permalink · 2002-10-01 07:55:15 ·
NetWatchMan Premium,VIP join:2001-03-13 Alpharetta, GA	reply to Name Game I'm sorry, I still don't get it...yeah there's a lot of WORDS in his comments...was this thing translated from some other language or something because it says nothing to me...and these definitely something lost in the xlate. -- Lawrence Baldwin myNetWatchman The Internet Neighborhood Watch
	to forum · permalink · 2002-10-01 21:03:21 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Name Game Re: Curiosities of port 137 - For Newbies said by VSantivirus via Name Game: Windows uses east port for its service "To share printers and archives for Microsoft networks" through NetBEUI (an own implementation of NETCBios), when translating a direction IP in a "name of Windows". Actually, I think this is getting lost twice: first from the Microsoft English documentation to this service and then back. There's a lot of "synergy" between NetBEUI and NetBIOS, but I don't think the paragraph above does any of it justice. With respect to udp/137 and NBName requests, NetBEUI isn't really involved. (It's more of a transport for NetBIOS; for example, I am running a Win2K Pro system that does video capture where I'm running NetBIOS over NetBEUI -- NBF -- without TCP/IP installed.) Both of these newsletters may fairly characterize the risks of udp/137 probes, but the explanation(s) of what those probes are normally used for is poor enough that it casts doubt on the source. Makes it hard to know what parts are correct and what parts are not... Just my opinion, Philip Sloss
	to forum · permalink · 2002-10-01 21:39:39 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	reply to Name Game Well guys..here is the thread...waiting for both of you guys to write it correctly yourself..as you each see it and how it really works. Not only for the OS you are running..but all of them... The floor is yours.
	to forum · permalink · 2002-10-01 21:51:48 ·
gwion wild colonial boy Premium,ExMod 2001-08 join:2000-12-28 Pittsburgh, PA kudos:1	reply to Name Game Netbios traffic shouldn't be allowed to pass a firewall, indeed. In the minimal analysis, it fingerprints the OS in no-brainer fashion. It's used by some trojans and virii to masquerade as anomolous internet propagation, and be trivialized and written off. To be sure, there DOES exist a lot of "anomolous propagation" on port 137. That doesn't make it "acceptable." Just because it's fallout from one of MS' idiotic mumbo-jumbo mysticization of simplicity metaphors doesn't mean we should just roll over and say it's a fact of life, live with it... not in the least. The responsible thing to do with a simple packet filter is exactly what ideas like Tiny Trojan Trap do on the application layer, and firmly resolve that "if MS won't offer us a plug for this hole, we'll take a cork and plug it ourselves." Period. Widespread insecurity comingled with trash traffic is no way to build an internet wired world, any more than a wide open secret behind-the-back app layer interoperability model is. It's entirely appropriate and proper to block ports 135 through 139 from any access whatsoever to the internet; it's also trivial, with modern PC firewall packet filtering. For those who don't need windows file and printer sharing on LAN, it's entirely appropriate and proper to unbind the services entirely, or plain out uninstall and disable them (as have done, here... Pure TCP-IP, and I love it...) This traffic shouldn't be being transacted. It's superfluous, at very best, and camouflage for chicanery at worst. Now, yes. Port 137 hits are, usually, like us earthlings; "mostly harmless." But that doesn't make them cute and cuddley and entirely acceptable. They're a byproduct of MS' proprietary networking illiteracy, and their boney-headed "open networking" childishly naive model of networking utopia. For my own part, I don't even have MS networking installed, here. The only service showing in my networking tab is "TCP-IP printing". I share files using Xitami on each of my LAN machines. Is there anything I miss about MS networking? Hehe... yeah. The constant chatter. I have a clean pipe, right now... I can flip on a packet cap and come back to a clean screen if I haven't made a connection, now. No five hundred some odd entries from "hi, I'm machineX, pleased to meet you, yeah, I'm boxY and I'm still online, how about you?" No browser elections. Lower overhead. hell, closest thing I can find to MS networking is a pack of neighborhood dogs smelling each others' ... ...I'm digressing, again, aren't I? Sorry for the rant, but the fact is, I'm entirely tired of this MS networking nonsense. The average home user has no more use for WINS and NB over TCP-IP than they have for a liquid nitrogen cooling system for their CPU. Other than sharing a printer, most people use it for nothing at all. There are FAR better ways of sharing files. How many people who have file sharing enabled, I wonder, have proper file level permissions set? Or even have NTFS installed? We talk about P2P sharing entire drives, but do we all understand that one of the defaults of MS networking is the root share? It's a complete joke, something that's cloaked enough in mystery from the "quick'n'easy" instructions to be a pitfall to an innocent novice user, and with potential for opening a vulnerability of the first order. Moreover, it adds complexity to something that isn't complex. File and printer sharing has gone on for ages without this nonsense using plain vanilla TCP-IP. Yes. There are uses for the MS networking services; and those who need, or prefer, them should have that option. But wide open broadcast shouldn't be the byproduct. And those who choose to use these services (yep, I admit, my network neighborhood is a dead icon on the desktop; I access my other machines with my browser or ftp client... some people like network neighborhood... hey, to each their own...) need to be educated in properly "disciplining" them to stay in "their own yards"; PC firewalls aren't just to keep intruders out, they're used in something called traffic shaping. That means determining what traffic can come and go from and to where. My strongest suggestion is, if you use NB, that model should be "allow 135, 137, 138, 139 from and to local area network only, and rely on alternate forms of communication if access via the internet is necessary." Using windows networking for internet communications is inadvisable. Defaulting it to assume that a user, especially a novice user, would or should borders on irresponsible. (ed.: please note I include port 135, not an NB port at all... that's MS RPC EP mapper, roughly equivalent to port 111 on unix... and entirely unnecessary for most users to allow on the internet, in about the same sense that NB is, in my own humble opinion) -- Basically, I believe in peace and bashing two bricks together.
	to forum · permalink · 2002-10-01 22:21:07 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	reply to Name Game "For my own part, I don't even have MS networking installed," Nor I..pulled it out of every OS I ever had..do not even like to see the Icons
	to forum · permalink · 2002-10-01 22:32:32 ·
dave Premium,MVM join:2000-05-04 not in ohio kudos:7 Reviews: ·Verizon FiOS ·Verizon Online DSL	reply to Name Game Is it actually possible to avoid NETBIOS entirely? I notice that SMB runs over TCP (port 445) since Windows 2000. It would therefore seem that sensible people could use that for files/printers/pipes and get rid of NETBIOS name resolution. As to the rant content - well, that's backwards compatibility for you. Microsoft inherited a protocol stack from IBM (there are still people whining about the retirement of NETBEUI) and retrofitted it over TCP. Name resoluton was done (per IBM) by shouting down the wires. That's still the way it's done as a last resort. Quite frankly, I don't see how you can expect to do name resolution in an administratorless evironment without resorting to multicast. (Though browser elections were an attempt to avoid some of the multicast, but you didn't like that either). Naturally, my model is that every PC has an Ethernet connection, because I haven't touched a non-networked computer since the early 1980s. I'm not much fussed about multicasted NETBIOS stuff on my LAN, since I suppose it's stopped at the router (TTL=1 and all that).
	to forum · permalink · 2002-10-01 22:52:08 ·
dave Premium,MVM join:2000-05-04 not in ohio kudos:7 Reviews: ·Verizon FiOS ·Verizon Online DSL	reply to Name Game By the way, here's my summary of the article: If you get a lot of UDP packets addressed to port 137, then you might be under attack. Bad guys may not be able to do bad things by asking about names, but if they know some names, they might be able to use them to attack other flaws in your security. So watch it if you see a lot of port 137 queries.
	to forum · permalink · 2002-10-01 22:56:07 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Name Game said by Name Game: Well guys..here is the thread...waiting for both of you guys to write it correctly yourself..as you each see it and how it really works. Not only for the OS you are running..but all of them... Ah, but it's so much easier to find fault Seriously, just because I can find problems with a description of something doesn't mean I'm going to be able to write something good. In other words, a good reader does not a good writer make. I might be able to put something together that is better, but that's not saying much...the question is whether it's relevant and that depends the audience. So, continuing down that train of thought, a question (or a set): What do you mean by newbies? Internet security newbies, IP newbies, or general computing newbies? Is this for someone who just wants to know what they need to do to protect their PC(s) or for someone who wants to know about mechanics, etc.? Speculating, if this is for general computing newbies, I'd refer to a much simpler link...something like this off a Google search: »www.pcflank.com/art20.htm Or even Dave's post of his summary of the article. On the other end of the spectrum, if someone wants to see the spec, there's always RFCs 1001 and 1002: »www.ietf.org/rfc/rfc1001.txt »www.ietf.org/rfc/rfc1002.txt Something that might fit in between would be the one I posted in a related thread: »www.sans.org/newlook/resources/I···_137.htm I'll see if I can find another reference or two online...any context you can provide would be helpful. Thanks, Philip Sloss
	to forum · permalink · 2002-10-02 00:42:54 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	reply to Name Game "What do you mean by newbies? Internet security newbies, IP newbies, or general computing newbies?" _____________________ The guy who wrote both of those has been in the security business for many years..evidently HE is the newbie for some seem to think he is all full of hot air.... yet one poster said thanks for the info..so it appears since you can not write it up so that it is correct in your way of thinking except to provided links..the whole thing will remain a mystery.. I personally am not confused how it all works.:-} Yup... you guys are right..it is easier to find fault at what he has written...but I am ROTFL for now what I have seen posted here so far has just been by people who are NOT newbie and even they do not seem to be able to agree with each other..I find the whole thing fascinating. I will leave you guys to it..glad you are enjoying the thread. BTW- this is the site again..great site for many people over the years. »www.vsantivirus.com/main.htm [text was edited by author 2002-10-02 05:20:10]
	to forum · permalink · 2002-10-02 05:13:28 ·
Telly Boot Premium join:2002-05-15 Vancouver, BC	reply to dave said by dave: By the way, here's my summary of the article: If you get a lot of UDP packets addressed to port 137, then you might be under attack. Bad guys may not be able to do bad things by asking about names, but if they know some names, they might be able to use them to attack other flaws in your security. So watch it if you see a lot of port 137 queries. Yus, well, as a Newbie, I'm glad that you put it in plain language. Name Game's post left me Floundering. -- Take my advice, I'm not using it!
	to forum · permalink · 2002-10-02 05:40:43 ·
skatetech Aka Dillhole Premium join:2002-07-31 Louisville, KY	reply to Name Game I have been in to general computing for years. As of late my interests have been drawn to the security aspects. I have been trying to learn as much as possible. Even with the possibility of inaccurate information (whichever side that may be, if either), I again thank you for the information and theories. Also, my hits on 137 have done nothing but intensify.(Still UDP, still originating from ports 1025-1027 with others occasionally, and the ip's do make repeated attempts after approximately ten minutes) From Tokyo to Marseille to Florida, I am being hit repeatedly. Sometimes up to 6/minute! I do not have the suspect file mentioned in the threads either. [text was edited by author 2002-10-02 07:23:30]
	to forum · permalink · 2002-10-02 07:19:08 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Name Game said by Name Game: The guy who wrote both of those has been in the security business for many years..evidently HE is the newbie for some seem to think he is all full of hot air.... Well, there's a quick explanation for that (at least hypothetically): being a computer security professional doesn't necessarily mean one is a good communicator. He may understand this just fine, but his explanation doesn't convey that. This always reminds me of a few professors I took classes from in college who were clearly competent in their field of expertise, but who were clearly not competent as teachers. So the evidence here that suggests that the author's text doesn't translate to English or is entirely accurate doesn't necessarily mean the author is a "newbie." said by Name Game: ..so it appears since you can not write it up so that it is correct in your way of thinking except to provided links.. As the quote goes in "OfficeSpace," I'm going to have to kind of disagree with you here. I could write something -- as your post indicates that the author can also write something. But you're right in the sense that I don't think I could write something as the author of this post has done -- something off-the-cuff -- and have it be concise and accurate. Others may have successfully done that (and probably have), though it's hard to find online given all the informal and unreviewed information there is. In other words, one of the reasons it's easier to find fault is that it takes less time. I'm of the opinion that my time would be better spent on other tasks besides going through the process of publishing something online (I could be wrong). Instead of writing another draft of a paper on NetBIOS, it would be better for that site to remove it's explanation and link to ones in their native language. So, to quote a line from an old Tom Hanks movie, "It's not that I can't help you, it's just that I don't want to." I didn't reply because I thought I could do better, I replied because I thought the author's text was confusing and inaccurate in places. I think that's particularly bad for "newbies." said by Name Game: BTW- this is the site again..great site for many people over the years. Well, as I said, something is being lost in the translation from Spanish to English (or "American" if you prefer). Is there an English version of the site? Philip Sloss
	to forum · permalink · 2002-10-02 09:34:03 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	reply to Name Game Here try this one..and ask WCB to dump the first two...post...I am sure he will be glad to accomodate you and it will all go away. File and Printer Sharing (NetBIOS) Fact and Fiction Contents The Problem The Real Risk Fact (updated!) Fiction (Urban Myths) What Ports are Open NetBIOS Abuse by Scour (updated!) Increasing NetBIOS Security with Scope ID (updated!) Shields UP!TM »cable-dsl.home.att.net/netbios.htm The Problem While NetBIOS (Microsoft Networking) over TCP/IP can present a serious security risk if you are careless, hysteria related to NetBIOS over TCP/IP is unwarranted. Some Internet sites are making matters worse spreading bad advice (fiction/urban myths). Note: For an excellent media perspective on the hysteria surrounding this issue, see the Network Magazine editorial " Accuracy in the 'Networking' Media" (January 2000).
	to forum · permalink · 2002-10-02 09:57:07 ·
Name Game Premium join:2002-07-07 North Myrtle Beach, SC kudos:6	reply to Name Game So, to quote a line from an old Tom Hanks movie, "It's not that I can't help you, it's just that I don't want to." _______________________________ He also had a box of chocolates...and it took some a while to understand it...but it all work out in the end. Just like this thread..when you could get your NETBIOS Checked. This one was a classic. Lockdown Online Security Tests »Lockdown Online Security Tests If you have networking installed and ARE NOT stealthed, this NetBIOS probe will attempt to read your login name and remote system time. It will then attempt to establish a connection to your browsemaster and display your domain, workgroup name, server and user. It will also attempt to display a list of all known computers on your network. After this, a share probe will take place and attempt to list and test your network shares. Tests will then be performed on your shares to see if they are protected by passwords, have write access or if any known bugs exist on your network. If any problems are found, you will be notified. If you are TRULY stealthed this test should not be able to display ANY information. [text was edited by author 2002-10-02 10:12:39]
	to forum · permalink · 2002-10-02 10:07:48 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Name Game said by Name Game: File and Printer Sharing (NetBIOS) Fact and Fiction »cable-dsl.home.att.net/netbios.htm A much better reference, though it is of broader scope that your original thread topic here. Philip Sloss
	to forum · permalink · 2002-10-02 12:05:51 ·

Broadband Tech > Security > Security > Curiosities of port 137 - For Newbies

Curiosities of port 137 - For Newbies

Re: Curiosities of port 137 - For Newbies