Re: Scans on port 137 (NetBIOS-NS)
Itamar Shtull-Trauring wrote: My (Linux, see it's not OT) firewall is getting a major amount of scanning activity on port 137, from hosts connecting from their port 137. A lot of the connecting servers are web servers (of which a lot seem to be unconfigured IIS, one was running Netscape Enterprise). Among the unwelcomed visitors were somone from behind TheLinuxStore's firewall, the American Museum of Natural History anthroplogy website, a sixdegrees.com server, centaur.tau.ac.il, an oreilly.com server, trace.jewishgen.org and more. All this started on Sunday. Is there any reason why this port on particular should be accessed a lot, or am I witnessing the next big Windows exploit? You could have tried: % grep 137 /etc/services netbios-ns 137/tcp netbios-ns 137/udp Port 137 is used for SMB NetBIOS name services, which are used to look up the IP address of a NetBIOS hostname. Windows uses SMB extensively for file/printer sharing. Script Kiddies like scanning Windows machines on port 137/139 to try to get access. You'd be surprised how many Windows boxes there are on the Internet whose hard disks you can browse freely. Indeed, for them the Internet is truly a "Network Neighborhood". Of course, Linux/Unix boxes running Samba are vulnerable too. But these are always behind a firewall, right? Gavrie. -- Gavrie Philipson Netmor Applied Modeling Research Ltd. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Scans on port 137 (NetBIOS-NS)
On Tue, 6 Jun 2000, Itamar Shtull-Trauring wrote: My (Linux, see it's not OT) firewall is getting a major amount of scanning activity on port 137, from hosts connecting from their port 137. A lot of the connecting servers are web servers (of which a lot seem to be unconfigured IIS, one was running Netscape Enterprise). 137 is the Netbios's Name Service port. If your machine is Netbios/SMB enabled, outsiders can potentially gain tons of info about your machine. If you see port 139 activity as well, you may want to sniff around to see exactly what the queries are. You won't believe what Windows machines are telling the world via SMB without no authentication whatsoever.. Samba servers, by the way, are also vulenrable to this information leak (say, your user list.) Sources of a crude SMB probing program can be found somewhere in Phrack. I think the name of the program was "qtip". OTOH, some DoS attacks against the operation system's networking stack may require an open / listening port, which 137 usually is, even on raw "no services" Windows boxes. -- crisk ._ [EMAIL PROTECTED] ._/-==\\\ _ |_.-`---^-._ Cheap quote from SPACEBALLS: There's something you should know. I am your father's uncle's sister's nephew's former roommate. - What does it makes us? - Absolutely nothing! Which is what you are about to become! = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]