[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Scans on port 137 (NetBIOS-NS)
Itamar Shtull-Trauring wrote:
>
> My (Linux, see it's not OT) firewall is getting a major amount of scanning
> activity on port 137, from hosts connecting from their port 137. A lot of
> the connecting servers are web servers (of which a lot seem to be
> unconfigured IIS, one was running Netscape Enterprise).
>
> Among the unwelcomed visitors were somone from behind TheLinuxStore's
> firewall, the American Museum of Natural History anthroplogy website, a
> sixdegrees.com server, centaur.tau.ac.il, an oreilly.com server,
> trace.jewishgen.org and more. All this started on Sunday.
>
> Is there any reason why this port on particular should be accessed a lot, or
> am I witnessing the next big Windows exploit?
You could have tried:
% grep 137 /etc/services
netbios-ns 137/tcp
netbios-ns 137/udp
Port 137 is used for SMB NetBIOS name services, which are used to look
up the IP address of a NetBIOS hostname.
Windows uses SMB extensively for file/printer sharing.
Script Kiddies like scanning Windows machines on port 137/139 to try to
get access. You'd be surprised how many Windows boxes there are on the
Internet whose hard disks you can browse freely. Indeed, for them the
Internet is truly a "Network Neighborhood".
Of course, Linux/Unix boxes running Samba are vulnerable too. But these
are always behind a firewall, right?
Gavrie.
--
Gavrie Philipson
Netmor Applied Modeling Research Ltd.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il