[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scans on port 137 (NetBIOS-NS)



On Tue, 6 Jun 2000, Itamar Shtull-Trauring wrote:

> My (Linux, see it's not OT) firewall is getting a major amount of scanning
> activity on port 137, from hosts connecting from their port 137.  A lot of
> the connecting servers are web servers (of which a lot seem to be
> unconfigured IIS, one was running Netscape Enterprise).  

137 is the Netbios's Name Service port. If your machine is Netbios/SMB
enabled, outsiders can potentially gain tons of info about your machine.
If you see port 139 activity as well, you may want to sniff around
to see exactly what the queries are. You won't believe what Windows
machines are telling the world via SMB without no authentication
whatsoever.. Samba servers, by the way, are also vulenrable to this
information leak (say, your user list.) 

Sources of a crude SMB probing program can be found somewhere in Phrack.
I think the name of the program was "qtip". 

OTOH, some DoS attacks against the operation system's networking stack
may require an open / listening port, which 137 usually is, even on 
raw "no services" Windows boxes.

-- crisk
                               ._ 
    crisk@netvision.net.il  ._/-======\\\       _          
                            |_.---------`-------^-----------------._
                         
Cheap quote from SPACEBALLS:
  There's something you should know. I am your father's uncle's sister's 
  nephew's former roommate.
- What does it makes us?
- Absolutely nothing! Which is what you are about to become! 



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il