ZA: Alot of attacks at port 137

Hi,

first of all, I don't know if this is the right forum, if not, I'm sorry

According to Zonealarm, I have alot of attacks on my netbiosport 137.
in the last 5 days about 1258 attacks

I have no idea what's causing it. I scanned with NAV, Ad-aware and spybot search & destroy. none of them found someting

I used a packetsniffer to see what was going on, but the sniffer didn't find anything on port 137. So ZA is doing a good job and blocking the attacks or ZA is going a bit nuts and is inventing them (I think the first option)
I have a dynamic IP , so how can they find me? at first I thought that I was sending out a signal of some sort and that's how they find me, but the packet sniffer didn't show anything out of the ordanary. except for one thing. I'm occasionly doing a broadcast on 255.255.255.255. My first guess is that this is my PC looking for a dhcp server somewhere. Bu I have no dhcp server running, so how can I turn this off?

So my question: what are all these attacks about? they really got me worried.

thanks

Maes

 

Hi Maes.

Hard to answer straight away because I really don´t know what do you do on your puter, for example do you play online games, do you share your files, do you download alot of stuff from some network (etc questions). The more you do on the net, the more attacks you will have, thats a fact. And do you chat often in chat rooms; there are "ravens of the net" ready to hack, and crack your puter.
UDP137, file and printer sharing network....you should consider to turn it off and cut off the bindings as Steve Gibson advices .....just don´t do it if you are unsure you might need it, if you have a virtual networks you might need it ok. but anyways .....here is Steve Gibsons very popular site where to start studying:
http://grc.com/su-bondage.htm

friendliest -Ari


PS. here you see is your DHCP on or off:
http://support.ycn.com/www/einwahl/gd3anleitung/wldhcpandwep.htm

 

Hi,

thanks for the quick reply.

I do no filesharing, no online games except for tetrinet, no chatrooms.
About the file and printersharing: I have one desktop pc and one portable, if I want to copy files from one to an other, I need the file and printersharing right? (I'm pretty new at this )

I the mean time, I used the cleaner (found it on the main site) and that didn't say anything.
I allready did the shields up and the leaktest on grc.com a while ago, that was also negative. (going to do it again right after this post)

Maybe a nice and clean format c would help, who knows.

BTW: that's a very intersting article on grc that you showed me , thx

 

Maes.....
many times format c helps as long time as you do the same things which leads to the same situation....I mean you should stick on what you got and research and learn more , if only your puter works fine.

Ari

 

Hi maes,

This is likely regular background noise from the internet by people infected with one of any number of NetBIOS spread viruses. This has been going on for some time though, so if you have had your system / firewall up for sometime without having made any changes and all of a sudden you see a major increase then you really need to assume that you are infected with one of these viruses and what you are seeing is the return traffic.

It might help to see a brief section of your firewall log (but please paste that snippet in your notepad and change your IP before pasting it here)

Thanks,

Dan

 

Yes! I agree with Krusty that you should hold off on formating til we get a clearer picture!

 

Hi Maes, welcome!
I keep it that it is the internet noice too; long time i was able to suppres the UDP 137 from logging till a next ZAPro update dus not enable that anymore so i get miles long logs from that too now.
If you want to see if there is traffic in and out, you might like to install Port Explorer,
www.diamondcs.com.au/portexplorer where even the free evaluation version shows you traffic and enables spying on the packets.
You can see in the blink of an eye if there would be anything suspicious and it shows where the traffic comes from, very nice!
Another one TDS same website, after install update the scan databases from the site and scan all and see if anything would need attention. For the UDP 137 by it sounds not.
With TDS you also have the nice option in TDS > Network > TCP Port Listen to set it on port 137 and see what would be coming in there. Probably nothing, as your firewall blocks it, unless you would unblock that port 137 to see what comes in.....
For the ZA excist a few nice logfile analysers, of which you might like VisualZone, which analyses and traces the portscans for you. www.visualizesoftware.com (free tool)

 

here's a piece of my log:

the source IP's are all diffrent. and as you can see, the time between an attack is about a minute. Isn't that a bit much to be background noise?

And if it is a virus, how come Norton antivurs doesn't say anything? I scan everything that commes in mto my computer (email and files) and do a full check every week and allways download the updates.

I used commview( trial version) to scan wath was going on on port 137 and he commview didn't detect anything. I'll give the portexplorer a try tomorow, and I'll try to turn of ZA and see what portexplorere says about port 137

about the logfile analysers, I use zonelog analyser

thanks for all the replys guys, I appreciate it

--Maes

 

One of the first things viruses try to do is disable the local AV. Anyways, the traffic you see is characteristic with the background noise

If you refer to the port stats on dshield

http://isc.incidents.org/port_details.html?port=137

You will see that there are typically 3 million such packets reported daily.

As a precaution you may want to try an online scanner such as

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

but it really appears as if the logged traffic is just the wretched refuse of the internet

 

Zonelog analyser is nice too, i have them both (i always first start with recommending free tools if available and good for the job )
Not turn off all ZA, only allow temporary that port.
No, there will not be found anything on your system, it's others being probably infected and spitting out their joy on everybody's ports.
If you would paste one of the IP addresses into the DShield IP info you might see lots of hits from them.
www.dshield.org
My logs really look the same!
In the meantime i see my posting crossed Dan's, hi Dan, and see we're on one line (of course).

See here one of the infected ones in my log at Dshield's:
IP Address: 142.163.xxx.xxx
HostName: 142.163.xxx.xxx
DShield Profile: Country: CA
Contact E-mail: wcase@xxx.xxx
Total Records against IP: 584
Number of targets: 581
Date Range: 2003-06-17 to 2003-07-16
Top 10 Ports hit by this source:
Port Attacks Start End
137 584 2003-06-17 2003-07-16
So that person is causing un-nice traffic, and probably not much online as i have seen far higher ranges.
This is only what was reported via VisualZone or otherways about this IP address, so the real amount can be far higher till that amount at least a day or more!

 

I agree w/Dan.

FWIW, my logs look similar. Most "stops" being made in my ZA logs show hits on 137. Unless you have Netbios running wild, you *shouldn't* be unduly concerned.

However, I agree that you should "touch all the bases", as covered by the experts here.

 

You see:
FWIN,2003/07/16,12:42:24 +2:00 GMT,64.219.xxx.xxx:1030,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:43:46 +2:00 GMT,80.33.xxx.xxx:58060,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:44:08 +2:00 GMT,213.77.xxx.xxx:1025,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:45:00 +2:00 GMT,142.154.xxx.xxx:1134,xxx.xxx.xxx.xxx:17300,TCP (flags:S)
FWIN,2003/07/16,12:45:48 +2:00 GMT,81.86.xxx.xxx:1029,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:46:56 +2:00 GMT,80.50.xxx.xxx:1028,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:47:08 +2:00 GMT,218.87.xxx.xxx:1029,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:49:18 +2:00 GMT,218.15.xxx.xxx:1025,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:49:42 +2:00 GMT,62.29.xxx.xxx:1085,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:50:16 +2:00 GMT,66.72.xxx.xxx:1030,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:57:52 +2:00 GMT,210.241.xxx.xxx:1027,xxx.xxx.xxx.xxx:137,UDP
FWIN,2003/07/16,12:58:04 +2:00 GMT,218.10.xxx.xxx:1028,xxx.xxx.xxx.xxx:137,UDP
FWOUT,2003/07/16,12:59:08 +2:00 GMT,xxx.xxx.xxx.xxx:137,210.241.xxx.xxx:137,UDP
FWOUT,2003/07/16,12:59:16 +2:00 GMT,xxx.xxx.xxx.xxx:137,218.10.xxx.xxx:137,UDP

on a quiet moment.......

 

As others have noted, there are a lot of Port 137 scans out on the net due to various worms that are out there seeking vulnerable PC's to infect. So your observation is not unique and doesn't mean that there is anything wrong with your set up. Increases in such scans have been also noted by others in other security related forums. So just because you are seeing an increase in itself does not mean that your PC has been infected or compromised.

These port scans are like sonar, going out blindly across the net seeking return responses from vulnerable machines. What that means is that they are not directed specifically at you, just that your IP is included in the range of IP blocks they are scanning. Think of someone using a remote control on a cable TV looking for something interesting to watch, letting the remote run through the various channels from 1 onward, scanning through the channels to see if something comes up on the sreen that they are interested in.

If you wish, run port scans to confirm that your ports are not open at a place such as this: http://nanoprobe.grc.com/ and download and run an anti trojan like Trojan Hunter or TDS to double check and ease your peace of mind. (If you do download a trial version of these apps make sure to update the signature database before you scan. With TDS I think you have to go to the site and download the updates manually.) You can also run online AV scanners like McAfee's for example: http://www.mcafee.com/ and I think Panda has one also. Can't remember all the others available.

 

I was just reminded it is possible in the new ZAPro 4 to use the expert rules per port to decide of you want them in the logfile or not, while they keep being blocked.
You might like to try that for this port 137?
In the former versions i ran a script some of the TDS family was so nice to script for us which kept TDS listening to that port and so no logs were registered at all for it: it means TDS served as an emulator for that possible infection and if i would have unblocked that port would have been able to communicate with the "thing".
But ZAPro 4 functions differently so that will be using the expert rules and save kilometers long log files!
The traffic will show up in Port Explorer with the country beside it, nice! And you could decide to block it if you really like.

 

Hi Maes
First of all ZA is blocking traffic on port 137 so you are safe. As long as the port hammering comes from different IP's, you shouldn't be concerned, as been said before, you can concider this as background noise. If you get tierd for al those firewall logs: the latest version of Zone Alarm has an expert mode where you can disable logging on a certain port (I don't know about the freeware version), if this doesn't help you may want to enable an application to listen on port 137 UDP and let it dump any traffic, then tell ZA not to block that traffic....
TDS-3 is capable of doing this and PE should be able too(I don't know for sure, I'm not using PE), and a number of other programs are capable to do so.
Dolf

 

Hi maes

Port 137 scans are one of the most frequent you will see show up in your logs. This will be for any number of reasons: misconfigured systems, not so nice people looking for vulnerable systems and in particular because of some recent mass mailing viruses and worms.

They are nothing to be worried about, your firewall is just doing what it is supposed to . I would normally see 500+ of these per day at it's peak.

The easiest thing to do is just ignore them.

If your firewall has the ability, create a block - no log rule, as LWM suggested. Does your logging utility for ZA provide the option to ignore things like this? (I configure the logging utility for my router/firewall not to log inbound udp to port 137)

...putting on devil's advocate hat
Allowing these packets through the firewall to a listening application (TDS, PortPeeker) may help in reducing your logs, but defeats the purpose of having the firewall - to block unsolicited traffic and not allow it to enter your system/network. Unless you have a particular need or reason to monitor these packets, let the firewall do it's thing.

Regards,

CrazyM

 

btw when you intercept those packets and dump them, you're doing the exactly the same what a firewall does in stealth mode.
Dolf

 

Hi,

sorry for th e late reply, but I've been a bit busy.

I tryed the online scanner from panda, and it found nothing So now I'm convinced this is only background noise.

I don't have ZA pro, only the free version. I can only choose between High, medium or low
Now the internet firewall is on high and the network part is on low.
But I have a webserver running and occasionaly host a tetrinet server. When ZA is in high mode, no one can get on the server. So can I risk it to put ZA on medium? because I need port 80 to be open and I can't choose individualy which port to be open or closed.
I'm only a student and I would prefer to spent my money on other things then a firewall. So what is your advice. Can I risk it to put ZA on medium (is there a big diffrence in security between high or medium) or is it money well spent on the firewall?
I don't hang out on hacker sites , IRC or stuff like that. Only a few programming forums and the occasionaly google search and surf thing. So I'm not the kinda guy who's giving info away and looking for trouble, but what are the chances that trouble finds me?

thanks

edit: Is the zoneAlarm website offline? all I get is a blank page (no 404, nothing)
http://www1.zonelabs.com/

 

You leave the security settings the way you want. Just give the server programs server rights in ZA.
Dolf

 

I always have the trusted zone on medium as well.
A former version of ZAPro could only run in medium for me because of the ADSL connections, and i never felt really nice with that; now the newer versions are on high all time i feel so much better!
Even though i have to change the way of suppressing the UDP 137 alerts, but that's ok to me
With VisualZone on, i see also lots of outbound UDP 137 traffic for all the automatic backtraces duhh!
So maybe in the 500 logged lines are 3-10 different ones in general, of which only 1 or 2 need further attention, so why waste energy on all those 137 things?

 

again sorry for the late reply

you guys have been of great help to me.
I can sleep on both ears now (if you say that in english )

thanks

maes

 

I think you will find if you do dns lookups on the offending addresses that they are your isp,s core that runs the isp and tracks you if it so desires. The more of these you get the more their keeping an eye on you in your computer.
see new topic: Max Sec FW Rules okay!!!