[Dshield] Causes for Port 137 Surge?

Johannes B. Ullrich euclidian at euclidian.com
Mon Jul 9 13:01:14 GMT 2001


 I didn't look at any details yet. 137 is a difficult port as there are
a lot of false positives. This is one reason why it is excluded from the
top 10 port list (it would be the constant number one).

 However, open file shares are a big problem. I would hope that everyone
on this list running a windows system has that locked down. There are
different levels to this problem:

- Worst Case: Open, non-password protected file share.
  you may as well install Sub-Seven or another Trojan and advertise you
  IP in a national newspaper.

- Medium Risk: File sharing enabled but password protected.
  still. you are at risk against brute force attacks and everything but
  the 'latest and greatest' windows have problems with this feature.

- Low Risk: No files shared but file sharing is still installed.
  This will still allow people to look up your computer name and local
  user names. A possible problem is that you use the same names for
  other purposes (user names to web sites).

As people on this list probably have a personal firewall, blocking port
137-139 is a good idea. (Windows 2k uses a few additional ports).

Also, the only way to ensure that you got rid of all file sharing
components is to do a quick 'netstat -an' and check if your system is
listening on port 137-139.

The remote port scanners often show these ports as closed, as some ISPs
block these ports. However, you may still be vulnerable from attacks from
other users of your ISP.


---
Johannes Ullrich            Join http://www.dshield.org
jullrich at sans.org
---

On Mon, 9 Jul 2001, David Kennedy CISSP wrote:

> Any clues yet for the surge in Port 137 activity since 6/29?  
> 
> Possibilities that come to mind:
> Qaz, Bymer or some other know/old 137-aware virus/worm got loose in a
> large organization which, in turn, flooded others.
> 
> Hybris plug-in we don't understand (yet).
> 
> Recent addition of large enterprises who are just reporting massive
> internal NetBIOS name lookups?  
> 
> One of the IDS's changed detection of 137? (I block it at the router
> so I have no way of knowing whether it's coming my way or not.)
> 
> Something W32.Leave-like?  
> 
> Something completely different?
> 
> 
> 
> Would it be possible to filter 137 reports and drop attackers on the
> same network and report only those from other networks?  If that's
> possible, I'm not sure how to deal with 1918 addresses, I'd be
> inclined to drop those as well as probably coming from a
> local-to-the-reporter host and thus possibly innocuous.
> 
> I understand why you decided to handle 137 separately, but the
> reports make me suspect something irregular is up.  
> 
> -- 
> Regards,
> 
> David Kennedy CISSP
> Director of Research Services, TruSecure Corp. http://www.trusecure.com
> Protect what you connect.
> Look both ways before crossing the Net.




More information about the list mailing list