[Dshield] port 137 probes; WinXP services

rilya byor rilya1 at yahoo.com
Mon Nov 18 13:34:54 GMT 2002


--- keithtarrant at spamcop.net wrote:
> When did your dial-up connection become unstable?
     --About a week ago.
> Did you change anything (hardware or software)
> around that time?  (Maybe a safeguard you installed
>is causing problems.)
     --Hard to say, cause I'm always trying out new 
     software.  I have several different firewalls but
     only use one at a time (yesterday I changed from
     Zonealarm to Outpost).  Doesn't seem to matter
     what I use.
> 
> Is your virus scanner up-to-date?  Have you run a
> recent virus scan with the latest signatures?  (An
> infection could cause your symptoms.)
     --Being the paranoid person I am, I always update
     and scan at least twice a week with AVG and the
     Cleaner.  The other day I ran the Lockdown
     Millenium trojan scanner and it found a PhazeZero

     trojan that everything else had missed, tho
     apparently it wasn't doing anything (no weird
     ports open, no unauthorized activity either
     outgoing or incoming).  Anyway, I removed it but
     the problem persists. 
> 
> Who is your ISP and what operating system are you
> running?
     --Verizon and Win XP (only because I can't get
     Linux to recognize that there's a modem plugged
     into one of my PCI serial ports--maddening!)
 
> Do you have all the current critical updates to your
> operating system?  (A virus scanner can't protect
> you from missing security updates.)
     --The last two times I installed Microsoft
     "critical security updates," they crashed the
     system and I had to wipe out the partition and
     reinstall everything--never again!  Instead, I
     use GRC's little patching utilities, which work
     great and do no harm.

     Now, a related question: All my firewalls report
     that all kinds of miscellaneous system services
     want to act as internet servers. Can anyone
     tell me what the @#$)*@! they are? Surely, it
     can't be a good thing to have all these ports
     open! Here's the current connection log from
     Outpost:

SVCHOST.EXE	nyc2-qwest.bellatlantic.net	DNS	UDP	387
bytes	955 bytes	11/18/2002 8:04:27 AM	Outbound	1051
LocalHost	00:00:00	1342
SVCHOST.EXE	nyc1-qwest.bellatlantic.net	DNS	UDP	1585
bytes	4600 bytes	11/18/2002 7:58:23 AM	Outbound	1027
LocalHost	00:00:00	6185
SVCHOST.EXE	*.*.*.*	n/a	UDP	0 bytes	0 bytes	11/18/2002
7:58:23 AM	Listening	123	LocalHost	00:00:00	0
SVCHOST.EXE	*.*.*.*	n/a	TCP	0 bytes	0 bytes	11/18/2002
7:57:13 AM	Listening	DCOM	*.*.*.*	00:48:05	0
SVCHOST.EXE	*.*.*.*	n/a	TCP	0 bytes	0 bytes	11/18/2002
7:57:14 AM	Listening	1025	*.*.*.*	00:48:04	0
SYSTEM	n/a	n/a	GRE	0 bytes	0 bytes	11/18/2002 7:57:17
AM	Listening	12032	n/a	00:49:22	0
SYSTEM	n/a	n/a	RAWSOCKET	0 bytes	0 bytes	11/18/2002
7:57:17 AM	Listening	n/a	n/a	00:49:22	0
SYSTEM	*.*.*.*	n/a	TCP	0 bytes	0 bytes	11/18/2002
7:57:17 AM	Listening	1026	*.*.*.*	00:49:22	0 
> - Keith
> 
> ----- Original Message -----
> From: "rilya byor" <rilya1 at yahoo.com>
> To: <list at dshield.org>
> Sent: Saturday, November 16, 2002 10:47 PM
> Subject: [Dshield] port 137 probes
> 
> 
> > Help... I've lately been logging hundreds of port
> 137
> > probes a day, which I understand are coming from
> the
> > Tanatos/Bugbear worm.  Of course, I have netbios
> > disabled and ports 137-138-139 stealthed, but I'm
> > having a terrible time maintaining a usable dialup
> > connection; I log on and a few minutes later the
> > connection freezes up and I have to redial again,
> and
> > again... Is all this port 137 activity the cause
> of
> > this?  My ISP has no explanation (but what do they
> > know...)  If so, what can I do to prevent it?  My
> > phone bill is going to be astronomical if this
> keeps
> > up.
> > Tnx,
> > Rilya1
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Web Hosting - Let the expert host your site
> > http://webhosting.yahoo.com
> >
> >
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or
> unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




More information about the list mailing list