Port Details - Port 137

Jan 10 1,065 Jan 11 1,708 Jan 12 1,752 Jan 13 1,772 Jan 14 1,804 Jan 15 1,682 Jan 16 1,291 Jan 17 1,185 Jan 18 1,669 Jan 19 1,776 Jan 20 1,779 Jan 21 1,627 Jan 22 1,672 Jan 23 1,199 Jan 24 1,118 Jan 25 1,663 Jan 26 1,622 Jan 27 1,813 Jan 28 1,763 Jan 29 1,666 Jan 30 1,227 Jan 31 1,090 Feb 01 1,717 Feb 02 1,720 Feb 03 1,744 Feb 04 1,828 Feb 05 1,685 Feb 06 1,352 Feb 07 1,134 Feb 08 1,377 Feb 09 243 Jan 10 14,785 Jan 11 21,439 Jan 12 25,014 Jan 13 22,286 Jan 14 23,253 Jan 15 21,995 Jan 16 21,377 Jan 17 16,910 Jan 18 27,802 Jan 19 23,241 Jan 20 22,846 Jan 21 18,130 Jan 22 21,027 Jan 23 19,815 Jan 24 19,293 Jan 25 22,377 Jan 26 21,811 Jan 27 21,589 Jan 28 21,245 Jan 29 21,096 Jan 30 21,125 Jan 31 18,576 Feb 01 20,829 Feb 02 22,161 Feb 03 22,417 Feb 04 24,227 Feb 05 19,431 Feb 06 25,220 Feb 07 15,932 Feb 08 21,500 Feb 09 4,829
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpnetbios-nsNETBIOS Name Service
udpnetbios-nsNETBIOS Name Service
tcpChode[trojan] Chode
tcpQaz[trojan] Qaz
udpMsinit[trojan] Msinit
[get complete service list]

User Comment

Submitted ByDate
Comment
Antonio Perez2009-10-04 18:45:22
About: Port 137 Begining 28/09/2002 I am receiving in my dynamic IP about 10 to 20 daily intrussion alerts from my firewall about this port (FWIN). Most of them (90%) came from other dynamic IP's given by my same ISP "RETENET" to other of their customers (62.174.0.0 - 62.174.127.255). I have told to <abuse@retevision.es> and <techretenet@retevision.es> twice, but they never answered my messages. Can I do anything mone to avoid this problem ?. Can you give me any additional information of this subject out of: http://isc.incidents.org/port_details.html?port=137 ?. Thanks. Antonio.
Norm2009-10-04 18:45:22
Stop the worms, new version of Opasoft (aka) Opaserv. Brasil.pif http://www.viruslist.com/eng/viruslist.html?id=52256 How to disable Netbios. Windows XP Open the Start menu Select "Connect To" (or "Settings", then "Network connections" if you're in Classic mode) Right-click on the network connection icon that connects you to the Internet Right click on "Properties" Open the "Networking" tab Highlight "Internet Protocol (TCP/IP)" Select "Properties". Click the "Advanced" button Open the "WINS" tab. At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 2000 Open the Control Panel Open the 'Network and Dial-up Connections' icon Right-click 'Local Area Connection' Select 'Properties' A window should open titled "Local Area Connection Properties" The middle of this window should have a list of components with checkboxes to their left. Select 'Internet Protocol (TCP/IP)' Click the 'Properties' button Click the 'Advanced' button Select the tab marked WINS At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 95, 98, ME Open the Control Panel Open the 'Network' icon Scroll through the components listed in the Configuration tab until you find and select the entry marked "TCP/IP" for your network or dial-up adapter. Click the Properties button Open the NetBIOS tab Uncheck Enable NetBIOS over TCP/IP Open the Bindings tab Uncheck "Client for Microsoft Networks" and "File and printer sharing for Microsoft Networks" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Good luck, Norm
Michael2006-06-11 19:51:19
You'll see a lot of these if you're running VMWare, usually from your subnet to the subnet vmware is using.
Marcus H. Sachs, SANS Institute2003-10-10 00:49:29
SANS Top-20 Entry: W5 Windows Remote Access Services http://isc.sans.org/top20.html#w5 NETBIOS -- Unprotected Windows Networking Shares Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local. Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.
Ken2002-12-25 22:35:10
This traffic is only 'normal' when the source and destination ports match and also, generally, when the source IP is on your own subnet. If the source port is not 137, e.g. 1024+n, there is likely a Wintel box at the other end infected with a worm. The prime candidate appears to be 'SCRSVR.EXE', AKA 'Opaserv', see: http://vil.nai.com/vil/content/v_99729.htm There also still appears to be some risk when the source *is* 137, see: http://www.sans.org/newlook/resources/IDFAQ/port_137.htm For the morbidly curious... more Opaserv info: http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html http://www.sophos.com/virusinfo/analyses/w32opaserva.html http://www3.ca.com/virusinfo/Virus.asp?ID=13234 http://www.europe.f-secure.com/v-descs/opasoft.shtml http://www.kav.ch/avpve/worms/win32/opasoft.stm http://www.norman.no/virus_info/w32_opaserv_a.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.A
Johannes Ullrich2002-10-09 18:23:35
UDP packets on port 137 are used to perfom a Netbios name lookup. Within Microsoft's Windows file sharing, these lookups are similar to DNS in that they resolve an IP to a computer name and back. While many of these lookups are harmless and may be performed automatically if DNS or reverse DNS fails, they are also a first step to enumerate and maybe exploit open file shares. There are a number of viruses and worms that exploit open shares, most notably Bugbear. Also, a number of IRC controlled 'bots' spread using open file shares. Important: ALWAYS use a password to protect shared resources. However, Microsoft file sharing is intented for a closed LAN environment, and if at all possible should not be used accross the public Internet.
Add a comment

CVE Links

CVE #Description
CVE-2004-444 "Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004