Script to get rid of port 137 scan logs

I stole Jooske’s idea to let TDS listen on port 137 and modified a SS3 script to do so
Dolf

Code:

Sub Main
  Call LoadSocket(137)   'xsocket(0) - listen on port 137
  Call CheckListening(CInt(0))'test that the socket is listening
End Sub

Sub LoadSocket(xPort)  'xPort = port to listen on
On Error Resume Next
 Call LoadObject("xSocket",0)
 If xSocket(0).State <> 0 Then xSocket(0).Close
 xSocket(0).LocalPort = xPort
 xSocket(0).Listen
End Sub

Sub CheckListening(xIndex)
On Error Resume Next
 If xSocket(0).State = 2 Then
    Call AddLine("Socket","Listening on Port:" & CStr(xSocket(0).LocalPort))
 Else
    Call AddLine("Socket","Could not listen!")
 End If
End Sub

Sub xSocket_Error
 Call AddLine("Socket","Error: " & CStr(xSocket(xSocketIndex).Tag))
End Sub

 

Re:Script to get rid of port 137 scan logs in ZoneAlarm

Excellent work Dollefile. Don't run ZA myself but I am sure ZA / TDS users will appreciate it.
Looking at my WallWatcher log I am still getting hundreds of hits a day still

 

Re:Script to get rid of port 137 scan logs in ZoneAlarm

Dolf reported the thread locked I believe I did it inadvertantly? Sorry - Should be OK now

 

Re:Script to get rid of port 137 scan logs in ZoneAlarm

Nice script Dolf, for me it works, TDS listening nicely on both TCP and UDP 137, nothing in the logs for ZAPro. In PE it gives nicely the TDS icon for it, and till now did not see connections, while normally without a port listening on that i have them still every few seconds.
To you the honor to post it in the members forum. You might like to paste it in the other script to be started by button click.

 

Re:Script to get rid of port 137 scan logs in ZoneAlarm

My first version was actually working with buttons, but then I asked myself the question: :”why do I want to be able to turn it off?” and removed them again, so that they can be used for other purposes.
Dolf

 

Re:Script to get rid of port 137 scan logs in ZoneAlarm

Can also add them under one of the buttons ScriptCmd 1/2 in the console.
If you make a Form1, button calling Form2, other button on Form2 back to Form1, maybe another button on either Form1 or Form2 going to Form3, etc so you can chain your scripts. In TDS-3 you can run only one script active at a time, but nothing against calling another script to be temporary active till you call another one.
The form/button is one way, the dropdown menus are nice too to practice with, or a thing asking to fill in which port we like to listen and rightclick on the console opens the stuff, whatever...... Very nice things!

 

I changed the name of the thread because I think that it might work with other firewalls as well.
Dolf

 

Thanks for changing the title yes. For me it is ok, but seeing Pilli above with Wallwatcher still full with knocks, not sure if that is with or without running the script?

 

Jooske,
I use a Linksys router, so for me it is not a problem, I just port forward to an imaginary PC on my LAN such as 192.168.1.109 (creating a blackhole). No need for TDS to do the work.

 

But doesn't that give miles long logfiles for portscans, or Ddos effect or any other negative effect on your resources or bandwidth?
Can imagine no need for TDS for this matter, with routers and all around. In fact i'm surprised ISPs collectively seem not to have been able to get rid f them somehow in other ways t closing temporary infected accounts like they did here with the Yaha/Lentin outbreak.

 

Jooske,
You can decide exactly what you want to log with WallWatcher, Just inbound or outbound or even exclude individual addresses or URL's My lagrest logfile over 24hours since October is 72K, For instance I do not log any POP/SMTP servers as this creates a lot of entries over a day.

Here is a small part of yestredays logs showing the 137 rubbish:
You will notice that they are all routed to the 192.168.1.9 blackhole.
I have noticed no bandwidth degradation using ths method.

2002/12/21 08:36:27.22 I 218.10.208.40 1086 192.168.1.9 137
2002/12/21 08:42:25.19 I 218.93.255.90 1026 192.168.1.9 137
2002/12/21 08:50:50.64 I e16086.upc-e.chello.nl(213.93.16.86) 1071 192.168.1.9 137
2002/12/21 08:51:08.67 I 208.200.80.7 54253 192.168.1.9 137
2002/12/21 08:51:43.91 I w069.z067105165.nyc-ny.dsl.cnc.net(67.105.165.69) 1025 192.168.1.9 137
2002/12/21 08:53:11.28 I 61.171.69.81 1029 192.168.1.9 137
2002/12/21 08:56:21.77 I red-corb1-200382-206.telnor.net(200.38.2.206) 18032 192.168.1.9 137
2002/12/21 09:04:55.52 I 210.65.54.86 1027 192.168.1.9 137
2002/12/21 09:10:11.52 I 218.58.209.9 2600 192.168.1.9 137
2002/12/21 09:12:16.48 I sw59-207-177.adsl.seed.net.tw(61.59.207.177) 1028 192.168.1.9 137
2002/12/21 09:12:40.56 I 203-195-136-108.now-india.net.in(203.195.136.10 1031 192.168.1.9 137
2002/12/21 09:17:56.05 I 218.16.39.138 1028 192.168.1.9 137
2002/12/21 09:19:03.81 I 217.131.33.196 1028 192.168.1.9 137
2002/12/21 09:20:51.11 I 200.223.216.2 1026 192.168.1.9 137
2002/12/21 09:21:12.67 I pc3-alde1-5-cust24.glfd.cable.ntl.com(80.6.25.24) 1038 192.168.1.9 137
2002/12/21 09:24:40.92 I 212.19.79.192 48465 192.168.1.9 137
2002/12/21 09:27:33.92 I 219.240.15.73 1028 192.168.1.9 137

 

Hey phili
You're doing great, its the same thing Jooske and me are doing, just get it and dump it.
But maybe someone can use a hand.
Dolf

 

Thanks Dolf,
I also use the same technique for port 80 and 8080.
Put a dummy PC in the DMZ of the router & forward the ports to it for guarranteed stealth.

Have noticed very little effect on performance I can still DL at 73KBs on a 75 KBs (600kbs) cable connection, providing the site I DL from can handle it.

Use Sygate Pro 5 as a back up software firewall mainly for ougoing connections + Port Explorer monitoring processes and connections.