[Dshield] Causes for Port 137 Surge?

Johannes B. Ullrich euclidian at euclidian.com
Mon Jul 9 13:01:14 GMT 2001

 I didn't look at any details yet. 137 is a difficult port as there are
a lot of false positives. This is one reason why it is excluded from the
top 10 port list (it would be the constant number one).

 However, open file shares are a big problem. I would hope that everyone
on this list running a windows system has that locked down. There are
different levels to this problem:

- Worst Case: Open, non-password protected file share.
  you may as well install Sub-Seven or another Trojan and advertise you
  IP in a national newspaper.

- Medium Risk: File sharing enabled but password protected.
  still. you are at risk against brute force attacks and everything but
  the 'latest and greatest' windows have problems with this feature.

- Low Risk: No files shared but file sharing is still installed.
  This will still allow people to look up your computer name and local
  user names. A possible problem is that you use the same names for
  other purposes (user names to web sites).

As people on this list probably have a personal firewall, blocking port
137-139 is a good idea. (Windows 2k uses a few additional ports).

Also, the only way to ensure that you got rid of all file sharing
components is to do a quick 'netstat -an' and check if your system is
listening on port 137-139.

The remote port scanners often show these ports as closed, as some ISPs
block these ports. However, you may still be vulnerable from attacks from
other users of your ISP.

Johannes Ullrich            Join http://www.dshield.org
jullrich at sans.org

On Mon, 9 Jul 2001, David Kennedy CISSP wrote:

> Any clues yet for the surge in Port 137 activity since 6/29?  
> Possibilities that come to mind:
> Qaz, Bymer or some other know/old 137-aware virus/worm got loose in a
> large organization which, in turn, flooded others.
> Hybris plug-in we don't understand (yet).
> Recent addition of large enterprises who are just reporting massive
> internal NetBIOS name lookups?  
> One of the IDS's changed detection of 137? (I block it at the router
> so I have no way of knowing whether it's coming my way or not.)
> Something W32.Leave-like?  
> Something completely different?
> Would it be possible to filter 137 reports and drop attackers on the
> same network and report only those from other networks?  If that's
> possible, I'm not sure how to deal with 1918 addresses, I'd be
> inclined to drop those as well as probably coming from a
> local-to-the-reporter host and thus possibly innocuous.
> I understand why you decided to handle 137 separately, but the
> reports make me suspect something irregular is up.  
> -- 
> Regards,
> David Kennedy CISSP
> Director of Research Services, TruSecure Corp. http://www.trusecure.com
> Protect what you connect.
> Look both ways before crossing the Net.

More information about the list mailing list