Stopping the 137 port scans

Discussion in 'polls' started by Jooske, Oct 3, 2002.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    here is a good article for those of you still following the Honeynet people.

    Oh my ,,, was this a Linux machine ? LOL

    http://project.honeynet.org/scans/scan22/sol/sotm22/
     
  2. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    i just had an odd acrence on my comp and things went haywire and i needed to restart my com and it got me thinking and i was windering if i could use spyblockers pac file to stop these probes by blocking the ip that thay are coming from what do ya think do ya recken it could work and give me a lil pice and quiet so that i wont keep getting these dam scans
     
  3. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Howdy
    I just went and opened "Spyblocker" up on wordpad and I hit ctrl+F, so I could find if the port 80 was marked there. It is there, and you are able to change it whatever you like but is it "legal" I dunno . And if you are brave enuff to try damn thingy for udp scans.... :p to make them invisible, how can you be sure after they don´t show up, there is activity at all ? just asking. I prefer checking firewall´s log file ;)
    -Ari-
     
  4. controler

    controler Guest

    Bethrezen


    I might be wrong here but I think those port 137 scans are comming from hundreds of thousands of different IP addresses.
    You would need to write a nice peice of software that would detect the intrusion and instantly ad a block to that IP/
    that is if you don't just stop all traffic from that port.

    I decided to ret Kaspersky's Anti-Hacker firewall beta again.
    I am finding the rules are pretty userfirendly to setup
    I am just messiing around with port 137 now.
    This is a brand new install of Windows ME and I am getting DLL errors with the new beta. oh oh
     
  5. snowman

    snowman Guest

    Would someone be so kind as to bring me up to date on this issue....I've only been back on the net less than a week.
    during the time back.....I have not received any...none...scans on port 137...........numerous other scans......none on 137.....a few on port 111.....
    I do have a blocker listening on ports 137 tcp and udp...no connection attempts showing.....firewall not being hit...............
    numerous NetBios Name hits....could this be what this subject is about ?

    Thanks in adcance

    snowman
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,247
    Location:
    New England
    This thread has some good information on the viruses/worms thought to be responsible for the massive increase in NetBIOS Name (UDP 137) port scans:

    https://www.wilderssecurity.com/showthread.php?t=3986

    It was mainly in reference to UDP 137 scans that this poll was started. Looking to find ways to reduce the impact on people's systems from the high volume of scans.
     
  7. snowman

    snowman Guest

    LowWaterMark

    appreciate you taken the time to reply....I was totally un-awear of the details.....an just read the entire link you provided.
    now I am wondering why I am not getting these scans since yesterday.......none today. there never was any port 137 udp connection attempts made on my computer...the NetBios Name scans were all on other ports....FE: port **** to port #### I must be missing something in my understanding of this.

    don't really know how to reply to the topic.....sure there are ways of blocking the evil port.........an for every two people that block the port ..20 million wont....an the internet remains jammed..........for every two persons who follow safe computing.......20 million wont.
    got to give this some thought.

    snowman
     
  8. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    hi there snowman - 'tis great to read your posts again!

    i have been keeping a close eye on my router's log since people first started posting about these scans on port 137, and i am guessing my ISP must be blocking it or something because i have not seen one scan attempt on that port in my router's log. Not complaining though! i don't mind being left out for those scans......but i am curious why so many have gotten them and i haven't seen one.

    snap
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,247
    Location:
    New England
    There have been discussions in various places since this whole Opaserv/Bugbear thing started regarding whether or not ISPs should block the NetBIOS ports. Some people have said their ISPs have always blocked these ports (and they haven't seen a single scan). A couple others said their ISP notified them recently that they were going to start blocking these ports in response to the new threat.

    Mine does not block them, though, frankly I would not have a problem if they did. I would never use NetBIOS over the Internet, so having access to these ports isn't of any value to me. It just means I can get these scans coming in, which I'd prefer did not happen.

    I wonder how many people actually use NetBIOS over the Internet and what the negative impact would be if all ISPs blocked it? The positive impact would be to kill these scans instantly.
     
  10. snowy

    snowy Guest

    (sorry for the delayed reply.....)



    SNAPDRAGIN

    so very very nice to see you again.....an will be looking forward to sharing many future posts.


    LowWaterMark

    once again I am in full agreement with you...I would never use any form of file sharing..........since I have a new IP I've no idea if they are blocking netbios....no matter...I have it blocked......since day one of turning this computer on! Surely these scans must be flooding the pipes of IP's..........it would be to their best interest to block the ports.
    this issue really has me thinking......its not a new issue...an therein lies the real issue....imo.
    at the moment I am at a lost to comment further...I very much appreciate the topic....


    snowman
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Well initially I was seeing around 200 log entries a day.
    Then 300+ and as it approached 400 I got tired of all that crap in the logs.

    Solution was to create a rule to block inbound udp 137 No Logging and place it at the top of my rule set. Voila...now my fiewall is not constantly writing to the logs.

    With NIS I can see how many times that rule is matched (even though there is no log entry) and it is over 500 per day now :eek:

    Regards
    CrazyM
     
  12. snowy

    snowy Guest

    Still...no scans for the past 24 hours,,,,,

    last night I noticed that DECOM SERVICES (printer ) listens on ports 135 ,,,1028 tcp.........in fact it can't be blocked...will piggyback outbound on another program ...so perhaps those with a rule based firewall could use this to their advantage,,,,,,by assigning the above ports to the ports of their choice............with netbios disabled.
    perhaps the more knowledgeable here can comment on this. if this is possible...an secure....in the future it could be used on other scans.

    snowman
     
  13. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Isn´t it possible to make UDP 137 appearing for everyone who knows password ? That would cause ofcourse pop up on intruders screen, and if it was a trojan causing that......

    Just thinking... you are wiser than me :p
    - Ari
     
  14. snowy

    snowy Guest

    Krusty

    just a thought......for a pop-up to appear on another person's machine.......would mean that a connection from machine to machine would have to be made..however briefly..........hmmmmmm.....maybe thats not so good...

    snowman
     
  15. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Snow
    If the password is not easy hhhmmm....and the most of attacks are just trojan ones, as I said was only a thought.
     
  16. snowy

    snowy Guest

    Krusty

    please don't mis-understand.......was caution on my part when commenting...............alot can happen once a machine to machine connection has been established...that a password would not prevent.......

    snowman
     
  17. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Snow
    Sure I know the risk ok......
    -Ari
     
  18. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    UDP 137 probes seems to be stopped today 11.11 2002 for now....
    -Ari
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,247
    Location:
    New England
    Hi Krusty,

    Maybe you got lucky and your ISP started blocking the NetBIOS ports at their routers. I wish mine would do that. :D

    Best Wishes,
    LowWaterMark
     
  20. museheart

    museheart Registered Member

    Joined:
    Jan 3, 2003
    Posts:
    87
    Location:
    USA
    How does one block ports if you are not running Zone Alarm. I have Sygate Personal Firewall but if there is a way, I haven't figured it out. I also have a router - haven't figured that out either except to block myself. lol

    Hey, I'm a writer, sorry.

    How do you get Karma around here?

    Peace,
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,489
    Location:
    Netherlands
    Hi museheart,

    About blocking ports with Sygate PF: check out this site: http://bellsouthpwp.net/i/k/ikpe/SygateBasicsPt2.html especially under Advanced Rules.
    About the karma: you need 50 posts to be able to give and receive karma. To increase someones positive karma you click applaud.
    And for those two that don't know: ;) The other button is called smite and not smile :D

    Regards,

    Pieter
     
  22. museheart

    museheart Registered Member

    Joined:
    Jan 3, 2003
    Posts:
    87
    Location:
    USA
    Dear Pieter,

    Thank you!!!

    I am ever so grateful!

    Peace,
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.