Port 137 (tcp/udp) Attack Activity (2024)

Submitted By Date Comment Antonio Perez 2009-10-04 18:45:22 About: Port 137Begining 28/09/2002 I am receiving in my dynamic IP about 10 to 20daily intrussion alerts from my firewall about this port (FWIN).Most of them (90%) came from other dynamic IP's given by my sameISP "RETENET" to other of their customers (62.174.0.0 - 62.174.127.255).I have told to <[email protected]> and <[email protected]>twice, but they never answered my messages.Can I do anything mone to avoid this problem ?.Can you give me any additional information of this subject out of:http://isc.incidents.org/port_details.html?port=137 ?.Thanks.Antonio. Norm 2009-10-04 18:45:22 Stop the worms, new version of Opasoft (aka) Opaserv.Brasil.pif http://www.viruslist.com/eng/viruslist.html?id=52256How to disable Netbios.Windows XPOpen the Start menu Select "Connect To" (or "Settings", then "Network connections" if you're in Classic mode) Right-click on the network connection icon that connects you to the Internet Right click on "Properties" Open the "Networking" tab Highlight "Internet Protocol (TCP/IP)" Select "Properties". Click the "Advanced" button Open the "WINS" tab. At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 2000Open the Control Panel Open the 'Network and Dial-up Connections' icon Right-click 'Local Area Connection' Select 'Properties' A window should open titled "Local Area Connection Properties" The middle of this window should have a list of components with checkboxes to their left.Select 'Internet Protocol (TCP/IP)' Click the 'Properties' button Click the 'Advanced' button Select the tab marked WINS At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 95, 98, ME Open the Control Panel Open the 'Network' icon Scroll through the components listed in the Configuration tab until you find and select the entry marked "TCP/IP" for your network or dial-up adapter. Click the Properties button Open the NetBIOS tab Uncheck Enable NetBIOS over TCP/IP Open the Bindings tab Uncheck "Client for Microsoft Networks" and "File and printer sharing for Microsoft Networks" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Good luck,Norm Michael 2006-06-11 19:51:19 You'll see a lot of these if you're running VMWare, usually from your subnet to the subnet vmware is using. Marcus H. Sachs, SANS Institute 2003-10-10 00:49:29 SANS Top-20 Entry:W5 Windows Remote Access Serviceshttp://isc.sans.org/top20.html#w5NETBIOS -- Unprotected Windows Networking SharesMicrosoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local. Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated. Ken 2002-12-25 22:35:10 This traffic is only 'normal' when the source and destination ports match and also, generally, when the source IP is on your own subnet. If the source port is not 137, e.g. 1024+n, there is likely a Wintel box at the other end infected with a worm. The prime candidate appears to be 'SCRSVR.EXE', AKA 'Opaserv', see:http://vil.nai.com/vil/content/v_99729.htmThere also still appears to be some risk when the source *is* 137, see:http://www.sans.org/newlook/resources/IDFAQ/port_137.htmFor the morbidly curious... more Opaserv info:http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.htmlhttp://www.sophos.com/virusinfo/analyses/w32opaserva.htmlhttp://www3.ca.com/virusinfo/Virus.asp?ID=13234http://www.europe.f-secure.com/v-descs/opasoft.shtmlhttp://www.kav.ch/avpve/worms/win32/opasoft.stmhttp://www.norman.no/virus_info/w32_opaserv_a.shtmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.A Johannes Ullrich 2002-10-09 18:23:35 UDP packets on port 137 are used to perfom a Netbios name lookup.Within Microsoft's Windows file sharing, these lookups are similarto DNS in that they resolve an IP to a computer name and back.While many of these lookups are harmless and may be performedautomatically if DNS or reverse DNS fails, they are also a firststep to enumerate and maybe exploit open file shares.There are a number of viruses and worms that exploit open shares,most notably Bugbear. Also, a number of IRC controlled 'bots'spread using open file shares.Important: ALWAYS use a password to protect shared resources. However,Microsoft file sharing is intented for a closed LAN environment, andif at all possible should not be used accross the public Internet.