Should I be worried?

  • Thread starter Thread starter M.Siler
  • Start date Start date
M

M.Siler

This is strange... I think. I have a Linksys router and the only port I'm
forwarding is 80 as I run IIS just for my own private use. I'm running
WallWatcher to see the log entries in real time and I've noted a request
form an outside IP then my system follows up with sending out to that
previous request a Port 137 netbios. I've done those port scans and they all
say I have nothing open except 80 which is expected. What gives?

In || Remote: 61.143.182.138 Port 30110 || Local: 192.168.1.105 Port 1026
(nterm)
Out || Remote: 61.143.182.138 Port 137 (netbios-ns) || Local: 192.168.1.105
Port 137 (netbios-ns)

In || Remote: 221.167.0.195 Port 1446 (ora-lm) || Local: 192.168.1.105 Port
27374
Out || Remote: 221.167.0.195 Port 137 (netbios-ns) || Local: 192.168.1.105
Port 137 (netbios-ns)

Again, I've run several port scans against me system and they all say that
I'm ok,
but what is this outbound traffic on port 137??
 
M.Siler wrote / skrev:
This is strange... I think. I have a Linksys router and the only port I'm
forwarding is 80 as I run IIS just for my own private use. I'm running
WallWatcher to see the log entries in real time and I've noted a request
form an outside IP then my system follows up with sending out to that
previous request a Port 137 netbios. I've done those port scans and they all
say I have nothing open except 80 which is expected. What gives?

In || Remote: 61.143.182.138 Port 30110 || Local: 192.168.1.105 Port 1026
(nterm)
Out || Remote: 61.143.182.138 Port 137 (netbios-ns) || Local: 192.168.1.105
Port 137 (netbios-ns)

In || Remote: 221.167.0.195 Port 1446 (ora-lm) || Local: 192.168.1.105 Port
27374
Out || Remote: 221.167.0.195 Port 137 (netbios-ns) || Local: 192.168.1.105
Port 137 (netbios-ns)

Again, I've run several port scans against me system and they all say that
I'm ok,
but what is this outbound traffic on port 137??
Click to expand...

Port 137 is one of the ports used to exploit windows vunerabilities, see
http://securityresponse.symantec.com/avcenter/security/Content/2003.09.10.html
for more info. This might be an issue if your system is note patched
properly.

- Veronica Loell
 
I would be worried. Your computer should not be engaging in port 137 traffic to or
from the internet [except through vpn/ipsec]. You can use netstat -an or better yet
fport to see what application /process is causing this traffic and should do a
virus/trojan scan with the latest definitions. A personal firewall such as Sygate
[free for personal users] would also help track down what is going on. Also IIS is
very vulnerable without doing some hardening including installing latest patches and
running IIS Lockdown tool. I would also use a better internet applicance that your
Linksys if you are opening port 80. Netgear makes a true SPI firewall router that can
also block outbound access to a degree for around $80. --- Steve

http://isc.sans.org/ -- Lots port 137 activity.
http://packetstormsecurity.nl/filedesc/fport.zip.html
http://www.webattack.com/Freeware/security/fwfirewall.shtml
http://www.netgear.com/products/prod_details.asp?prodID=140&view=
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
 
Nothing to worry about here as here is the sequence of events and why:

In || Remote: 61.143.182.138 Port 30110 || Local: 192.168.1.105 Port 1026
(nterm)

This is likely Messenger Spam from a source in China

Out || Remote: 61.143.182.138 Port 137 (netbios-ns) || Local: 192.168.1.105
Port 137 (netbios-ns)

Since this is port 137 to port 137 it is likely Windows trying to find the
hostname for 61.143.182.138 which fails on the reverse DNS lookup as China
Telecom does not have reverse lookups enabled, hence Windows then attempts
to use a Hostname lookup which is what your seeing here UDP port 137 -> UDP
port 137.


In || Remote: 221.167.0.195 Port 1446 (ora-lm) || Local: 192.168.1.105
Port 27374

This is a SubSeven scan from a site in Korea

Out || Remote: 221.167.0.195 Port 137 (netbios-ns) || Local: 192.168.1.105
Port 137 (netbios-ns)

Again since it is 137 -> 137 traffic and given that KOREA TELECOM does not
have reverse lookups enabled, Windows is resorts to trying a Hostname lookup
UDP port 137 - UDP port 137.


Note UDP port 137 -> UDP port 137 traffic can be used to check your system
for open shares, however most of the current worms do not use native Windows
calls to do this as they are too slow. For example Opaserv scans appear
typically as UDP port 1025 -> UDP port 137 (where the source port typically
ranges from 1025 - 1034 as the worm is not a privileged service and hence
unable to use a source port below 1024) as it uses it own netbios fudge
function to check for open shares.

The only thing that is strange is your 192.168.1.105 address as receiving
the unsolicited inbound traffic. Did you setup a DMZ with this address on
your Linksys or is this a typo?

Blake
http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel
 
I agree. Under a variety of situations, your Windows computer will send 137
outbound to try to get the Windows computer name of the remote computer.
However, 1) this should NOT be allowed out, and 2) if you're only forwarding
port 80, I would want to look further in the logs and question why this
seemingly unsolicited inbound connection appears to be let in through the
firewall and generates a response from your internal computers. [unless
you're running a software firewall on the computer in question, in which
case this response is normal. I personally would not want my firewall to be
generating outbound 137 and accepting the response packet back in from the
"attacker," but that's the way most of them are unfortunately designed.]
 
You're probably seeing what's been called the "NetBios Echo". You
don't want it to happen and there are several ways to stop it.

1) On WallWatcher's OPTIONS | LOGGING menu, make sure that "OK to use
NetBios 137" is UNCHECKED.

2A) If the Echo continues to occur when that option is unchecked, your
version of Windows doesn't support all forms of rDNS lookup, but you
still can prevent the Echo by unchecking "Convert IP addresses to
URL's". Unfortunately, if you do so, you won't be able to get any of
those conversions, not even the safe ones.

2B) If #1 doesn't work and you still want safe conversions to work,
leave "Convert IP addresses to URL's" checked in WW, then log onto the
Router through your Browser and access the ADVANCED / Filters page.
Then, setup a filter to block outgoing TCP's on port 137.

For more information, look in WW's HELP for "NetBios".
 
I did have "OK to use NetBips 137" checked in WallWatcher. I have now
uncheck it and we'll see if it stops. If not I'll try your steps 2a & 2b.

Thanks!
 
How did you determine that 221.167.0.195 was in Korea & 61.143.182.138 was
in China?
 
WhoIs function. For example if you go to www.APNic.net and enter these IP
Addresses into their search they will return the WhoIs info for them since
they fall under APNic's area (Asia Pacific). There is also RIPE.net for
Europe/Africa, ARIN.net for North America, etc.

Blake

http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel
 
Back
Top