Port 137 getting hammered

[darkstar]

Ok this is why i asked about firewalls because ive for Zone alarm running and port 137 is getting hammered all the time ! on the UDP protocol.

Anyone else getting this ?

[Nomak]

Port 137 is used sometimes for NetBios attacks via the internet, netBios is designed for use with networks to allow sharing of information. If you are using windows 9X then there is a known bug with netbios. Not sure if this is whats happening though as I have never used zone alarm. Im sure that it stops UDP packets though.

https://grc.com/x/ne.dll?bh0bkyd2

If you go to this link you can test your security.

[darkstar]

yea been to GRC pretty cool, gave a good result for me :D but who knows

cheers Nomak for the info i did abit of research into this stuff and found that out, i saw loads of shite about port 137 getting hammered and bugs in windows and IE and the netbios sharing stuff.

Hopefully i'll be ok but i get probed on that port almost every 2 minutes.

[lunatrick]

the probes you are receiving are probably a mixture of the following:-

some will be from random windows machines on the net - as windows uses udp 137 to resolve netbios names. This should only happen on the broadcast domain i.e. internal network but you also get machines spewing this traffic out on the internet. Some machines will also try and resolve your name when you have browsed to them , if they are an nt /win 2000 server. A lot of this stuff could be considered 'background noise' and can be ignored.

There are a couple of worms which probe on port 137 i.e. Opaserv and Bugbear, which are looking for holes, but any half-decent firewall should block this traffic by default. Personally I use zone alarm, but I've also heard that tiny personal firewall isn't bad either....

[darkstar]

Ok cheers for that, i looked online about this and alot of people are getting the same thing, so its not just me.

[sinner]

There are usually constant scans on the net for port 137 . People are looking for unpassworded windows shares all the time.


700 54600 deny log udp from any to me 137 via tun0

I have received 700 scans for port 137 in the last 24 hours from people ALL over the net.

Blocking is from outside your network is always the best policy

[Basil Rush]

Set up a firewall. Keep up to date with patches. Install a good virus checker. Ignore the firewall logs. Everyone is trying to hack everyone all the time, but they are mostly looking for soft targets.