Hi,

first of all, I don't know if this is the right forum, if not, I'm sorry :(

According to Zonealarm, I have alot of attacks on my netbiosport 137.
in the last 5 days about 1258 attacks :o

I have no idea what's causing it. I scanned with NAV, Ad-aware and spybot search & destroy. none of them found someting

I used a packetsniffer to see what was going on, but the sniffer didn't find anything on port 137. So ZA is doing a good job and blocking the attacks or ZA is going a bit nuts and is inventing them (I think the first option)
I have a dynamic IP , so how can they find me? at first I thought that I was sending out a signal of some sort and that's how they find me, but the packet sniffer didn't show anything out of the ordanary. except for one thing. I'm occasionly doing a broadcast on 255.255.255.255. My first guess is that this is my PC looking for a dhcp server somewhere. Bu I have no dhcp server running, so how can I turn this off?

So my question: what are all these attacks about? they really got me worried.

thanks

Maes

Hi Maes.
-{ Quote: "So my question: what are all these attacks about? they really got me worried. " }-
Hard to answer straight away because I really don´t know what do you do on your puter, for example do you play online games, do you share your files, do you download alot of stuff from some network (etc questions). The more you do on the net, the more attacks you will have, thats a fact. And do you chat often in chat rooms; there are "ravens of the net" ready to hack, and crack your puter.
UDP137, file and printer sharing network....you should consider to turn it off and cut off the bindings as Steve Gibson advices .....just don´t do it if you are unsure you might need it, if you have a virtual networks you might need it ok. but anyways .....here is Steve Gibsons very popular site where to start studying:
http://grc.com/su-bondage.htm

friendliest -Ari


PS. here you see is your DHCP on or off:
http://support.ycn.com/www/einwahl/gd3anleitung/wldhcpandwep.htm

Hi,

thanks for the quick reply.

I do no filesharing, no online games except for tetrinet, no chatrooms.
About the file and printersharing: I have one desktop pc and one portable, if I want to copy files from one to an other, I need the file and printersharing right? (I'm pretty new at this ;) )

I the mean time, I used the cleaner (found it on the main site) and that didn't say anything.
I allready did the shields up and the leaktest on grc.com a while ago, that was also negative. (going to do it again right after this post)

Maybe a nice and clean format c would help, who knows.

BTW: that's a very intersting article on grc that you showed me , thx ;)

-{ Quote: "Maybe a nice and clean format c would help, who knows. " }-

Maes.....
many times format c helps as long time as you do the same things which leads to the same situation....I mean you should stick on what you got and research and learn more :), if only your puter works fine.

Ari

Hi maes,

This is likely regular background noise from the internet by people infected with one of any number of NetBIOS spread viruses. This has been going on for some time though, so if you have had your system / firewall up for sometime without having made any changes and all of a sudden you see a major increase then you really need to assume that you are infected with one of these viruses and what you are seeing is the return traffic.

It might help to see a brief section of your firewall log (but please paste that snippet in your notepad and change your IP before pasting it here)

Thanks,

Dan

Yes! I agree with Krusty that you should hold off on formating til we get a clearer picture!

Hi Maes, welcome!
I keep it that it is the internet noice too; long time i was able to suppres the UDP 137 from logging till a next ZAPro update dus not enable that anymore so i get miles long logs from that too now.
If you want to see if there is traffic in and out, you might like to install Port Explorer,
www.diamondcs.com.au/portexplorer where even the free evaluation version shows you traffic and enables spying on the packets.
You can see in the blink of an eye if there would be anything suspicious and it shows where the traffic comes from, very nice!
Another one TDS same website, after install update the scan databases from the site and scan all and see if anything would need attention. For the UDP 137 by it sounds not.
With TDS you also have the nice option in TDS > Network > TCP Port Listen to set it on port 137 and see what would be coming in there. Probably nothing, as your firewall blocks it, unless you would unblock that port 137 to see what comes in.....
For the ZA excist a few nice logfile analysers, of which you might like VisualZone, which analyses and traces the portscans for you. www.visualizesoftware.com (free tool)

here's a piece of my log:
-{ Quote: "
type,date,time,source,destination,transport
FWIN,2003/07/11,11:51:56 +2:00 GMT,***.***.***.***:1033,***.***.***.***:137,UDP
FWIN,2003/07/11,11:52:40 +2:00 GMT,***.***.***.***:1025,***.***.***.***:137,UDP
FWIN,2003/07/11,11:52:48 +2:00 GMT,***.***.***.***:1210,***.***.***.***:137,UDP
FWIN,2003/07/11,11:53:00 +2:00 GMT,***.***.***.***:1027,***.***.***.***:137,UDP
FWIN,2003/07/11,11:57:22 +2:00 GMT,***.***.***.***:1025,***.***.***.***:137,UDP
" }-
the source IP's are all diffrent. and as you can see, the time between an attack is about a minute. Isn't that a bit much to be background noise?

And if it is a virus, how come Norton antivurs doesn't say anything? I scan everything that commes in mto my computer (email and files) and do a full check every week and allways download the updates.

I used commview( trial version) to scan wath was going on on port 137 and he commview didn't detect anything. I'll give the portexplorer a try tomorow, and I'll try to turn of ZA and see what portexplorere says about port 137

about the logfile analysers, I use zonelog analyser

thanks for all the replys guys, I appreciate it

--Maes

One of the first things viruses try to do is disable the local AV. Anyways, the traffic you see is characteristic with the background noise

If you refer to the port stats on dshield

http://isc.incidents.org/port_details.html?port=137

You will see that there are typically 3 million such packets reported daily.

As a precaution you may want to try an online scanner such as

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

but it really appears as if the logged traffic is just the wretched refuse of the internet :)

Zonelog analyser is nice too, i have them both (i always first start with recommending free tools if available and good for the job :) )
Not turn off all ZA, only allow temporary that port.
No, there will not be found anything on your system, it's others being probably infected and spitting out their joy on everybody's ports.
If you would paste one of the IP addresses into the DShield IP info you might see lots of hits from them.
www.dshield.org
My logs really look the same!
In the meantime i see my posting crossed Dan's, hi Dan, and see we're on one line (of course).

See here one of the infected ones in my log at Dshield's:
IP Address: 142.163.xxx.xxx
HostName: 142.163.xxx.xxx
DShield Profile: Country: CA
Contact E-mail: wcase@xxx.xxx
Total Records against IP: 584
Number of targets: 581
Date Range: 2003-06-17 to 2003-07-16
Top 10 Ports hit by this source:
Port Attacks Start End
137 584 2003-06-17 2003-07-16
So that person is causing un-nice traffic, and probably not much online as i have seen far higher ranges.
This is only what was reported via VisualZone or otherways about this IP address, so the real amount can be far higher till that amount at least a day or more!

-{ Quote: " quoting: Dan Perez link=board=23;threadid=11408;start=0#msg73829 date=1058382228]
Hi maes,

This is likely regular background noise from the internet by people infected with one of any number of NetBIOS spread viruses.
Dan
" }-

I agree w/Dan.

FWIW, my logs look similar. Most "stops" being made in my ZA logs show hits on 137. Unless you have Netbios running wild, you *shouldn't* be unduly concerned.

However, I agree that you should "touch all the bases", as covered by the experts here.

You see:
FWIN,2003/07/16,12:42:24 +2:00 GMT,64.219.xxx.xxx:1030,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:43:46 +2:00 GMT,80.33.xxx.xxx:58060,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:44:08 +2:00 GMT,213.77.xxx.xxx:1025,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:45:00 +2:00 GMT,142.154.xxx.xxx:1134,xxx.xxx.xxx.xxx:17300,TCP (flags:S)
FWIN,2003/07/16,12:45:48 +2:00 GMT,81.86.xxx.xxx:1029,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:46:56 +2:00 GMT,80.50.xxx.xxx:1028,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:47:08 +2:00 GMT,218.87.xxx.xxx:1029,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:49:18 +2:00 GMT,218.15.xxx.xxx:1025,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:49:42 +2:00 GMT,62.29.xxx.xxx:1085,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:50:16 +2:00 GMT,66.72.xxx.xxx:1030,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:57:52 +2:00 GMT,210.241.xxx.xxx:1027,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:58:04 +2:00 GMT,218.10.xxx.xxx:1028,xxx.xxx.xxx.xxx:137,UDP
FWOUT,2003/07/16,12:59:08 +2:00 GMT,xxx.xxx.xxx.xxx:137,210.241.xxx.xxx:137,UDP
FWOUT,2003/07/16,12:59:16 +2:00 GMT,xxx.xxx.xxx.xxx:137,218.10.xxx.xxx:137,UDP

on a quiet moment.......

As others have noted, there are a lot of Port 137 scans out on the net due to various worms that are out there seeking vulnerable PC's to infect. So your observation is not unique and doesn't mean that there is anything wrong with your set up. Increases in such scans have been also noted by others in other security related forums. So just because you are seeing an increase in itself does not mean that your PC has been infected or compromised.

These port scans are like sonar, going out blindly across the net seeking return responses from vulnerable machines. What that means is that they are not directed specifically at you, just that your IP is included in the range of IP blocks they are scanning. Think of someone using a remote control on a cable TV looking for something interesting to watch, letting the remote run through the various channels from 1 onward, scanning through the channels to see if something comes up on the sreen that they are interested in.

If you wish, run port scans to confirm that your ports are not open at a place such as this: http://nanoprobe.grc.com/ and download and run an anti trojan like Trojan Hunter or TDS to double check and ease your peace of mind. (If you do download a trial version of these apps make sure to update the signature database before you scan. With TDS I think you have to go to the site and download the updates manually.) You can also run online AV scanners like McAfee's for example: http://www.mcafee.com/ and I think Panda has one also. Can't remember all the others available.

I was just reminded it is possible in the new ZAPro 4 to use the expert rules per port to decide of you want them in the logfile or not, while they keep being blocked.
You might like to try that for this port 137?
In the former versions i ran a script some of the TDS family was so nice to script for us which kept TDS listening to that port and so no logs were registered at all for it: it means TDS served as an emulator for that possible infection and if i would have unblocked that port would have been able to communicate with the "thing".
But ZAPro 4 functions differently so that will be using the expert rules and save kilometers long log files!
The traffic will show up in Port Explorer with the country beside it, nice! And you could decide to block it if you really like.

Hi Maes
First of all ZA is blocking traffic on port 137 so you are safe. As long as the port hammering comes from different IP's, you shouldn't be concerned, as been said before, you can concider this as background noise. If you get tierd for al those firewall logs: the latest version of Zone Alarm has an expert mode where you can disable logging on a certain port (I don't know about the freeware version), if this doesn't help you may want to enable an application to listen on port 137 UDP and let it dump any traffic, then tell ZA not to block that traffic....
TDS-3 is capable of doing this and PE should be able too(I don't know for sure, I'm not using PE), and a number of other programs are capable to do so.
Dolf

Jooske and Dolf have described the two exact methods I've used in the past to suppress all those incoming UDP port 137 packets.

For a while I used a free port listener (PortPeeker (link) (http://www.wilderssecurity.com/showthread.php?t=8652)) which I set to monitor all incoming UDP port 137 packets. That allowed me, if I wanted, to take a quick look to see if I was getting a large or small number of these, and it allowed also to see a separate list of the source IPs, again, just for spot checking if I was interested in seeing how that traffic was doing.

Well, finally I decided this was wasting my time since there wasn't anything I could do about them anyway, and, because the new version of ZAP and ZA+ 4.0 included the ability to control logging at a detailed level with the new expert rules, so I just decide to block these (and two other common worm ports) without logging.

For those that don't know about ZAP's background. There used to not be too many logging options. It was log everything, log only what Zone Labs considered "high" security events, or log nothing at all. Well, I still want to see the other traffic being blocked, all of which is far less frequent and perhaps more interesting than 200 or more 137/udp messages a day.

So, I created the rule shown in the image below. The key points in that image are: 1. Action is set to "Block", and 2. Track (which is the logging control) is "None".

In any case, this is just another option. But, as stated above, this feature is only available in the new paid versions of ZAPro or ZAPlus.

Hi maes

-{ Quote: "So my question: what are all these attacks about? they really got me worried." }-

Port 137 scans are one of the most frequent you will see show up in your logs. This will be for any number of reasons: misconfigured systems, not so nice people looking for vulnerable systems and in particular because of some recent mass mailing viruses and worms.

They are nothing to be worried about, your firewall is just doing what it is supposed to :). I would normally see 500+ of these per day at it's peak.

The easiest thing to do is just ignore them.

If your firewall has the ability, create a block - no log rule, as LWM suggested. Does your logging utility for ZA provide the option to ignore things like this? (I configure the logging utility for my router/firewall not to log inbound udp to port 137)

...putting on devil's advocate hat ::)
Allowing these packets through the firewall to a listening application (TDS, PortPeeker) may help in reducing your logs, but defeats the purpose of having the firewall - to block unsolicited traffic and not allow it to enter your system/network. Unless you have a particular need or reason to monitor these packets, let the firewall do it's thing.

Regards,

CrazyM

-{ Quote: " quoting: CrazyM link=board=23;threadid=11408;start=15#msg73897 date=1058400639]...putting on devil's advocate hat ::)
Allowing these packets through the firewall to a listening application (TDS, PortPeeker) may help in reducing your logs, but defeats the purpose of having the firewall - to block unsolicited traffic and not allow it to enter your system/network. Unless you have a particular need or reason to monitor these packets, let the firewall do it's thing." }-

Very true! But, if we always did the right thing it wouldn't be as much fun. ;D

btw when you intercept those packets and dump them, you're doing the exactly the same what a firewall does in stealth mode.
Dolf

Hi,

sorry for th e late reply, but I've been a bit busy.

I tryed the online scanner from panda, and it found nothing :) So now I'm convinced this is only background noise.

I don't have ZA pro, only the free version. I can only choose between High, medium or low
Now the internet firewall is on high and the network part is on low.
But I have a webserver running and occasionaly host a tetrinet server. When ZA is in high mode, no one can get on the server. So can I risk it to put ZA on medium? because I need port 80 to be open and I can't choose individualy which port to be open or closed.
I'm only a student and I would prefer to spent my money on other things then a firewall. So what is your advice. Can I risk it to put ZA on medium (is there a big diffrence in security between high or medium) or is it money well spent on the firewall?
I don't hang out on hacker sites , IRC or stuff like that. Only a few programming forums and the occasionaly google search and surf thing. So I'm not the kinda guy who's giving info away and looking for trouble, but what are the chances that trouble finds me?

thanks

edit: Is the zoneAlarm website offline? all I get is a blank page (no 404, nothing)
http://www1.zonelabs.com/

You leave the security settings the way you want. Just give the server programs server rights in ZA.
Dolf

Hi maes,

If as Dolf suggests, giving the web server and tetrinet server programs server rights works, allowing full functionality for those you want to grant access to, then by all means, leave the firewall set to High for the Internet Zone.

If it doesn't work, but setting it at Medium does, then that ought to be okay. At Medium, ZAF still blocks things like NetBIOS and RPC from the Internet, and Program control is uneffected by lowering the firewall setting, so your outbound protections remain the same. You could set ZAF to Medium just when you want to allow people access to these servers and then return it to High.

I always have the trusted zone on medium as well.
A former version of ZAPro could only run in medium for me because of the ADSL connections, and i never felt really nice with that; now the newer versions are on high all time i feel so much better!
Even though i have to change the way of suppressing the UDP 137 alerts, but that's ok to me :)
With VisualZone on, i see also lots of outbound UDP 137 traffic for all the automatic backtraces duhh! :)
So maybe in the 500 logged lines are 3-10 different ones in general, of which only 1 or 2 need further attention, so why waste energy on all those 137 things?

again sorry for the late reply :-[

you guys have been of great help to me.
I can sleep on both ears now (if you say that in english :D)

thanks

maes

I think you will find if you do dns lookups on the offending addresses that they are your isp,s core that runs the isp and tracks you if it so desires. The more of these you get the more their keeping an eye on you in your computer.
see new topic: Max Sec FW Rules okay!!!

hi thehulky1, and welcome

I don't know ik I understand you correctly, but if I see the origin of all those IP's, then they come from all over the world, and I'm sure my ISP isn't THAT big ;D

Don't know how it is with you guys, but at the moment i have more port 17300 scans then ever from everywhere in the world, some 500 today already.
17300 is default for the RAT: Kuang2 The Virus
Had them each days, around 10/day, but never this many!

I'm getting more 17300's than usual, too, but, not that many. I'll tell you this, the new upsurge in TCP port 135 (based on the new RPC exploits, I imagine) are the most frequent thing I'm seeing since yesterday.

-{ Quote: " quoting: LowWaterMark link=board=23;threadid=11408;start=15#msg77851 date=1060102274]
I'll tell you this, the new upsurge in TCP port 135 (based on the new RPC exploits, I imagine) are the most frequent thing I'm seeing since yesterday.
" }-
Are those packets UDP or TCP?
Dolf

-{ Quote: " quoting: Dollefie link=board=23;threadid=11408;start=15#msg77863 date=1060106125]-{ Quote: " quoting: LowWaterMark link=board=23;threadid=11408;start=15#msg77851 date=1060102274]
I'll tell you this, the new upsurge in TCP port 135 (based on the new RPC exploits, I imagine) are the most frequent thing I'm seeing since yesterday." }-
Are those packets UDP or TCP?
Dolf" }-

The upsurge I'm seeing is in TCP port 135 connection attempts. This is where Microsoft's DCOM RPC interface is accessed, and where the recently discovered vulnerabilities are located. See this CERT Advisory:

http://www.cert.org/advisories/CA-2003-19.html

Thanks

I'm at around 900 now for 17300 scans today, is this really the one i wrote above or are there more using that port today? Lots from Asia.
I'll put my TDS TCP Port Listen on that port to see what happens.....

Hi Jooske,

I haven't heard of anything new using 17300 but I have noted previous surges for Kuang2 so it is probably just another surge.

Dan

I noticed a 17300 spike on July 26 and a lesser spike July 30. Mostly Asia. But July 26 was the biggest, and that was 12 in all. Geez...nobody wants to go after my 17300 :) :) :).

No for mine neither since around 2 this morning, i even open the gates and have in TDS > Network > TCP Port Listen wide open for them, acting as a server, last night had replies each few seconds, not nothing in several minutes, so they are no longer interested!
Or asleep.
The scans came really from everywhere in the world, did not see a specific pattern although many from Asiatic countries.
On Packestorm it showed a nice peak as well, and also tehre only mentioned the kuan2 virus, so not sure what was this amount yesterday. Over 1100 yeseterday and some 100 after midnight, now it's all silent and it's just thje regular many 137 again.

-{ Quote: " quoting: Jooske link=board=23;threadid=11408;start=30#msg77990 date=1060151135]
i even open the gates and have in TDS > Network > TCP Port Listen wide open for them, acting as a server...
" }-

When you open the ports, then there will be no log then, because you don't block them.

Or am I missing something ???

TCP Port listen you can give server rights, so it acts as a server (emulated of course) and IPs trying to connect you see displayed in that window.
Last night i caught several every few seconds.
When you keep silent you just see them connect and close, but if you react in any way in that window you get a reply from them, a data packet. Still innocent, as you're not really infected so it can't do nothing. But to make sure best after that close the connection anyway.
Of course i tried a few times reacting on them and got different filenames which are not on my system each time, so the connections were dropped anyway.
In the fw log is nothing or it should be my own backtraces where i did take that trouble.

Since 2 this morning (so 12 hours now) still none on that port even when i open the listening function, and deep scanning doesn't show me being infected, so maybe the ISP closed that port out.