Stopping the 137 port scans

Discussion in 'polls' started by Jooske, Oct 3, 2002.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Since several days now we are plagued with the hundreds of knocks on our UDP port 137 mainly caused by the Opasoft and/or Bugbear, in the meantime additional ports have shown up. I found a solution which works for me to have not any of those portscans at all, which is:
    Use TDS > Networks > TCP Port Listen > choose port 137 > Listen.
    After your firewall might ask to allow server or not; in both cases it works the same for me: i don't see packets from that entering my system nor do i get any portscans anymore as long as that function is up, while it immediately starts again when i close that.
    I'm urgently trying to get straight answers from other users if that solution works for others as well or not at all or if they have other ways to stop them to be able to give this as an advice to other users who even are about Ddossed in several cases by those "attacks" and even lose internet connections!
    So please for the well-being of the internet community as a whole be so kind to try this trick on your own system and be so kind as to choose the option which works best for you. Thanks a lot for cooperation!
     
  2. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Jooske,
    I don't use TDS. I do use ZA Pro and and just check my logs now and again to see if someone is still trying to find the key to my door !!
    Regards,
    bill :)
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I use ZAPro too, and have the netbios ports blocked for ingoing and outgoing traffic. But it drives people crazy all those portscans as although they can't pass the FW (yet) you still get the scans and in several cases leading to users connections Ddossed and even ADSL connections lost by them.
    Would almost say if you like have a try with an eval of TDS and see if it helps you, but i am not promoting the program here for that reason only of course, as i think there are more programs with the kind of function or another one which might do the same trick. It's just my goal to get peace and quiet and safe internet back for all and which tools we have together for that.
     
  4. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    i to have noticed this i to have also been shut down by this a few times last nite i got somwhere in the region of 300 or more alerts from this though it was kinda strange that the volume of alerts had increased recentley but the odd thing is that most of the alerts where on port 0 not 137 although i have had a few on 137

    cant try ya trick out as i dont got tds i only got za free and vz

    wish i knew a way to stop this sort of thing coz this is not the first time my conection has suffered from this sort of thing plus it interfears with my downloads it slows things down and sometimes i log on and even though in conected at max speed 64k isdn the pages wont load so i need to d/cthen r/c at which i get a difrent ip and everythin works ok well for a lil while anyway

    also if ya go to the dshield web page ya can look at the world map that shows what sort of alerts have been happening and where and at what rate last time i was there this 137 thing made up about 50% of the totle alerts receaved from the uk where i live

    i think what is needed here is a lil app that can intercept and redirect the probes away from you mabe back to where it came from that way it wont interfear with ya conection mabe an app that works kinda like adshield ya juat add the port number to ya bock list and then nomatter how hard a person trys you will never receave trafic on that port again untill ya unblock it mabe if someone smart here can figure out why what ya did with tds worked for you thay can replcate it in an app for the rest of us

    finges crosed

    nite
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Bethrezen,
    I've been in such port 0 attacks as well, which i think was people all together playing some game, as my log showed all were IPs from universities in one occasion, from all over the world. Disconnecting, waiting some quart of an hour before connecting again helped me out that time.

    For the 137 port knocking my ISP suggested to keep on warning all knockers ISPs as the people probably are infected, and with our warnings we can help to get internet cleaned out little by little. But i must admit only if i see the same people really frequent with such a port i warn.
    Too many people need that port for file and printer sharing over internet, so my ISP is not going to filter it out.
    Wished they gave some button or option on their site where customers can enable / disable it at their own wish...

    They come only through when i don't use that TCP Port Listen function. Of course you can put it on whatever port you like for the moment. So we let a year ago port 80 CodeRed packets come in to look what they are and see the variants. Once we knew what it was i blocked port 80 in my FW too.
    Why don't you try it out and download TDS at www.diamondcs.com.au (look in the DCS > TDS forums here for suggested basic configuration) and try that port listen function to get your peace. You can try it out for free for several days, and clean your system in the meantime from trojans if there are and have lots of other tools at hand. The only risk is you really love and like the tool and don't want to stop using it or you would not like it and don't mind it stopping after those 30 days.
    So if you get remarkable many portscans on one certain port you could try to quiet it down with that port listen function and depending if you want to see what happens stopping that port extra in ZA too.

    I opened this poll of course hoping to see more solutions, as too many people get ddos-ed with them...
     
  6. FanJ

    FanJ Guest

    First I would like to apologize to Jooske for not trying her solution.
    I was hit really hard with those scans; so hard that I was indeed dDOSsed out.
    My solution (not a cheap one....) was buying a good hardware firewall. So far it has helped me (fingers crossed!).
    I agree with Jooske: it would be very nice if a provider would give its users the option to block it on the provider-level, not by default but giving the user the option to enable such a block.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm rather practicle, first trying the stuff i have already, before looking at other solutions which might be more permanent, if necessary.
    Of course a router will be a good solution, and i hope you're doing fine with it by now once configured well etc.
    So with the router on it, do you still get the 137 scans in the log files?
    Does it help against being ddos-ed out?
    I'm not logging nor seeing them nor ddossed out, unless i don't set that TDS function and then they hit really every few seconds.
     
  8. controler

    controler Guest

    Ok here is my SPF log file on port 137
    hope you can read it.
    1   10/19/2002 19:31:08   Allowed   UDP   Outgoing      63.255.255.255   137   00.000.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   15   10/19/2002 19:30:03   10/19/2002 19:30:07   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
       
    2   10/19/2002 19:31:08   Allowed   UDP   Incoming      00.000.000.000   137   63.255.255.255   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   15   10/19/2002 19:30:03   10/19/2002 19:30:07   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
       
    46   10/19/2002 20:10:50   Allowed   UDP   Outgoing      216.160.21.255   137   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   18   10/19/2002 20:09:42   10/19/2002 20:09:48   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
       
    47   10/19/2002 20:10:50   Allowed   UDP   Incoming      216.160.21.208   137   216.160.21.255   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   18   10/19/2002 20:09:42   10/19/2002 20:09:48   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
       
    48   10/19/2002 20:10:50   Blocked   ICMP   Incoming      216.160.20.254   1   216.160.21.208   3      
       
    49   10/19/2002 20:10:50   Blocked   UDP   Incoming      12.84.204.61   1028   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 20:09:46   10/19/2002 20:09:46   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    66   10/19/2002 20:19:18   Blocked   UDP   Incoming      00.000.000.000   1032   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 20:18:13   10/19/2002 20:18:13   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    77   10/19/2002 20:22:56   Blocked   UDP   Incoming      00.00.0.000   1025   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 20:21:51   10/19/2002 20:21:51   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    109   10/19/2002 20:41:31   Blocked   UDP   Incoming      218.148.222.17   1025   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 20:40:26   10/19/2002 20:40:26   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    113   10/19/2002 21:03:05   Blocked   UDP   Incoming      216.72.232.243   1028   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 21:02:00   10/19/2002 21:02:00   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    114   10/19/2002 21:05:34   Blocked   UDP   Incoming      12.98.40.54   1044   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 21:04:32   10/19/2002 21:04:32   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    118   10/19/2002 21:11:58   Blocked   UDP   Incoming      216.69.36.120   1026   216.160.21.208   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 21:10:57   10/19/2002 21:10:57   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    182   10/19/2002 23:29:04   Allowed   UDP   Outgoing      67.255.255.255   137   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   12   10/19/2002 23:29:03   10/19/2002 23:29:05   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP   


    183   10/19/2002 23:29:04   Allowed   UDP   Incoming      00.00.000.000   137   67.255.255.255   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   12   10/19/2002 23:29:03   10/19/2002 23:29:05   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP   

    188   10/19/2002 23:30:12   Allowed   UDP   Outgoing      67.255.255.255   137   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   3   10/19/2002 23:29:06   10/19/2002 23:29:08   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP   

    189   10/19/2002 23:30:12   Allowed   UDP   Incoming      00.00.000.000   137   67.255.255.255   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   3   10/19/2002 23:29:06   10/19/2002 23:29:08   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP   

    198   10/19/2002 23:32:51   Blocked   UDP   Incoming      210.201.100.129   1027   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/19/2002 23:32:52   10/19/2002 23:32:52   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   


    238   10/20/2002 07:01:40   Allowed   UDP   Outgoing      67.255.255.255   137   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   15   10/20/2002 07:00:33   10/20/2002 07:00:37   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP   

    239   10/20/2002 07:01:40   Allowed   UDP   Incoming      00.00.000.000   137   67.255.255.255   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   15   10/20/2002 07:00:33   10/20/2002 07:00:37   GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP   

    262   10/20/2002 07:06:49   Blocked   UDP   Incoming      217.208.164.217   33566   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/20/2002 07:05:44   10/20/2002 07:05:44   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    300   10/20/2002 07:21:50   Blocked   UDP   Incoming      200.195.178.164   1028   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/20/2002 07:20:47   10/20/2002 07:20:47   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   

    317   10/20/2002 07:33:49   Blocked   UDP   Incoming      217.164.103.113   1030   00.00.000.000   137   C:\WINDOWS\SYSTEM\KERNEL32.DLL   1   10/20/2002 07:32:48   10/20/2002 07:32:48   GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP   
       
       
     
  9. controler

    controler Guest

    x
     

    Attached Files:

    • SPF.jpg
      SPF.jpg
      File size:
      97 KB
      Views:
      1,346
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's a nice log; i see OUTGOING UDP 137 traffic too: is that intentionally or...?
    Did you also try any packet sniffer / port listen function or anything at all to have not all those 137 knocks on ports?
    I'm not sure about the rulesets, that is SPF users knowledge :D.
    I would love to see if such a tool eliminates the knocks and thus the possible ddossing.
     
  11. controler

    controler Guest

    Some of those incomming and outgoing are confusing me too.
    That is not my IP either way LOL

    Jooske? Are you saying that making port 137 unstealthed
    stops the port scan? I am getting confused on what you mean by listen. As you can see from my SPF log, I am listening on 137
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Controler, if you still have your TDS copy installed see what happens if you use the Networks > TCS Port Listen function. I guess the Traffic Bridge would do the same. In the firewall they are still blocked, unless you really want to get them in and look at the packets sent to you.
    Not even sure if it unstealthes the port. But you can use it as a server or just connect with internet and listen for incoming data packets on that. Of course you can take any port number you like.
    Hm, did not even try allowing server and on port 1025 :D

    Isn't this a nice result? TCP Port Listen on port # 137
    Code:
    FWIN,2002/10/19,20:36:16 +2:00 GMT,206.117.161.xx:1371,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    FWIN,2002/10/19,20:41:22 +2:00 GMT,203.198.140.xxx:59022,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    FWIN,2002/10/19,21:01:00 +2:00 GMT,202.118.210.xxx:3872,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    FWIN,2002/10/19,23:03:52 +2:00 GMT,62.139.254.xxx:1667,xxx.xxx.xxx.xxx:27374,TCP (flags:S)
    FWIN,2002/10/20,05:53:36 +2:00 GMT,64.128.237.xxx:60272,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    FWIN,2002/10/20,05:55:50 +2:00 GMT,210.212.216.xxx:2005,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    FWIN,2002/10/20,08:46:00 +2:00 GMT,218.155.10.xxx:0,xxx.xxx.xxx.xxx:0,ICMP (type:3/subtype:3)
    PE,2002/10/20,10:21:50 +2:00 GMT,TCP/IP-opdracht Netstat,xxx.xxx.xxx.xxx:53,N/A
    FWIN,2002/10/20,12:44:56 +2:00 GMT,62.25.209.xxx:4084,xxx.xxx.xxx.xxx:27374,TCP (flags:S)
    FWIN,2002/10/20,13:34:48 +2:00 GMT,212.131.240.xxx:3875,xxx.xxx.xxx.xxx:111,TCP (flags:S)
    FWIN,2002/10/20,14:30:34 +2:00 GMT,65.25.234.xxx:3868,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    FWIN,2002/10/20,16:03:58 +2:00 GMT,62.131.54.xxx:3098,xxx.xxx.xxx.xxx:80,TCP (flags:S)
    
     
  13. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Controler,

    But all that 137-139 stuff is inside your box to internal address and that is OK at 0.0.0.0. It is not trying to get outside..it is all nornmal and Sygate just like many other firewall now days are looking INSIDE the box trying to help all of us decide if something abnormal is going on.
     
  14. controler

    controler Guest

    Primerose

    yup, I know about the 137-139. I was referencing to the firewall log above. The firewall screenshot.
    Look at the IP's starting with 216. ect
    those are not my IPs

    Jooske? you are going to get me to buy TDS-3 yet aren't you :D
    Have you tried your 137 port listen and then gone to DSLreports to do a port scan to see how that port looks?
    please do k?

    Jooske? What is that high number port you have doing?
    FWIN,2002/10/20,12:44:56 +2:00 GMT,62.25.209.xxx:4084,xxx.xxx.xxx.xxx:27374,TCP (flags:S)
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm confused about your portscan remark? How i should do that? Has DSLreports a special page for that?

    If the tool is acting as a server, i could look at other people's intentions trying to play with my "server" and me watching their packets coming in. But by no means i would be able to use it as a scanner on others.

    That 27374 was a portscan on me with maybe S7, i don't know; i could of course have changed the port listen to that 27374, maybe even have unloaded the protecting socket for that, taking away the blocking from the firewall, and play around with the portscanner with one of the nice Scripts. But i never do anything, first looking what the person is up to and most of time they back off automatically when they see they are discovered with a backtrace for instance.
     
  16. controler

    controler Guest

    Jooske

    I ment for you to turn the TDS-3 port 137 listen on
    Then go to

    http://www.dslreports.com

    On the left side of the page is TOOLS
    click on that and run the port scan to see if you are still stealthed with that port listening.
     
  17. FanJ

    FanJ Guest

  18. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    i just ran across this ans was wondering if this could mabe be the answer we are lookin for if ya can set it to moniter port 137 insted of 80

    http://www.hackbusters.net/LaBrea/lbathome.html
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You mean this result?
     

    Attached Files:

  20. FanJ

    FanJ Guest

  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, nothing interesting found, all dull stuff maybe? :D
    I saw them being blocked by the fw.
    But i hope there comes some solution for that 137 soon.
    As i just found a warning in Kaspersky's newsletter there is a new Opasoft version which would be worse then the other one. they did not describe the ports that one is using, so i keep to the 137 till new instructions are there.
     
  22. controler

    controler Guest

    Bethrezen

    That Tarpit doesn't support Windows XP
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Looked at it and for me it seems like a honeypot in which the intruders get sticked until we release them. Hm, not sure if i want that really, so did not get it, but it sounds nice.

    Heya guys, i don't see much voting? Wished we could choose for more then one option, but ok, i'm glad we are discussing the matter and trying to find solutions.
     
  24. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    hmm well mine's nothign special but I ahve blocked all traffic on 137 and 138 with SPF so nothing happening to me, doesn't seem to affect anything else so I'm happy as of yet.


    oh BTW that rule was made to stop that "kernal" crap from sending msgs hom eor whatever it was doing; and just happened to block this as well.
     
  25. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Being so busy I didn't notice the connection attempts, just checked my router/firewall logs..Yikes! That's alot of connections. Well they never actually make it to my machine so oh well, that why I bought the router in the first place. exo-skeleton
     
Loading...
Thread Status:
Not open for further replies.