Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp netbios-ns NETBIOS Name Service
udp netbios-ns NETBIOS Name Service
tcp Chode [trojan] Chode
tcp Qaz [trojan] Qaz
udp Msinit [trojan] Msinit
[get complete service list]

User Comment

Submitted By Date
Comment
Antonio Perez 2009-10-04 18:45:22
About: Port 137 Begining 28/09/2002 I am receiving in my dynamic IP about 10 to 20 daily intrussion alerts from my firewall about this port (FWIN). Most of them (90%) came from other dynamic IP's given by my same ISP "RETENET" to other of their customers (62.174.0.0 - 62.174.127.255). I have told to <abuse@retevision.es> and <techretenet@retevision.es> twice, but they never answered my messages. Can I do anything mone to avoid this problem ?. Can you give me any additional information of this subject out of: http://isc.incidents.org/port_details.html?port=137 ?. Thanks. Antonio.
Norm 2009-10-04 18:45:22
Stop the worms, new version of Opasoft (aka) Opaserv. Brasil.pif http://www.viruslist.com/eng/viruslist.html?id=52256 How to disable Netbios. Windows XP Open the Start menu Select "Connect To" (or "Settings", then "Network connections" if you're in Classic mode) Right-click on the network connection icon that connects you to the Internet Right click on "Properties" Open the "Networking" tab Highlight "Internet Protocol (TCP/IP)" Select "Properties". Click the "Advanced" button Open the "WINS" tab. At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 2000 Open the Control Panel Open the 'Network and Dial-up Connections' icon Right-click 'Local Area Connection' Select 'Properties' A window should open titled "Local Area Connection Properties" The middle of this window should have a list of components with checkboxes to their left. Select 'Internet Protocol (TCP/IP)' Click the 'Properties' button Click the 'Advanced' button Select the tab marked WINS At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 95, 98, ME Open the Control Panel Open the 'Network' icon Scroll through the components listed in the Configuration tab until you find and select the entry marked "TCP/IP" for your network or dial-up adapter. Click the Properties button Open the NetBIOS tab Uncheck Enable NetBIOS over TCP/IP Open the Bindings tab Uncheck "Client for Microsoft Networks" and "File and printer sharing for Microsoft Networks" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Good luck, Norm
Michael 2006-06-11 19:51:19
You'll see a lot of these if you're running VMWare, usually from your subnet to the subnet vmware is using.
Marcus H. Sachs, SANS Institute 2003-10-10 00:49:29
SANS Top-20 Entry: W5 Windows Remote Access Services http://isc.sans.org/top20.html#w5 NETBIOS -- Unprotected Windows Networking Shares Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local. Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.
Ken 2002-12-25 22:35:10
This traffic is only 'normal' when the source and destination ports match and also, generally, when the source IP is on your own subnet. If the source port is not 137, e.g. 1024+n, there is likely a Wintel box at the other end infected with a worm. The prime candidate appears to be 'SCRSVR.EXE', AKA 'Opaserv', see: http://vil.nai.com/vil/content/v_99729.htm There also still appears to be some risk when the source *is* 137, see: http://www.sans.org/newlook/resources/IDFAQ/port_137.htm For the morbidly curious... more Opaserv info: http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html http://www.sophos.com/virusinfo/analyses/w32opaserva.html http://www3.ca.com/virusinfo/Virus.asp?ID=13234 http://www.europe.f-secure.com/v-descs/opasoft.shtml http://www.kav.ch/avpve/worms/win32/opasoft.stm http://www.norman.no/virus_info/w32_opaserv_a.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.A
Johannes Ullrich 2002-10-09 18:23:35
UDP packets on port 137 are used to perfom a Netbios name lookup. Within Microsoft's Windows file sharing, these lookups are similar to DNS in that they resolve an IP to a computer name and back. While many of these lookups are harmless and may be performed automatically if DNS or reverse DNS fails, they are also a first step to enumerate and maybe exploit open file shares. There are a number of viruses and worms that exploit open shares, most notably Bugbear. Also, a number of IRC controlled 'bots' spread using open file shares. Important: ALWAYS use a password to protect shared resources. However, Microsoft file sharing is intented for a closed LAN environment, and if at all possible should not be used accross the public Internet.
Add a comment

CVE Links

CVE # Description
CVE-2004-444 "Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004