Stopping the 137 port scans

here is a good article for those of you still following the Honeynet people.

Oh my ,,, was this a Linux machine ? LOL

http://project.honeynet.org/scans/scan22/sol/sotm22/

 

hi all

i just had an odd acrence on my comp and things went haywire and i needed to restart my com and it got me thinking and i was windering if i could use spyblockers pac file to stop these probes by blocking the ip that thay are coming from what do ya think do ya recken it could work and give me a lil pice and quiet so that i wont keep getting these dam scans

 

Howdy
I just went and opened "Spyblocker" up on wordpad and I hit ctrl+F, so I could find if the port 80 was marked there. It is there, and you are able to change it whatever you like but is it "legal" I dunno . And if you are brave enuff to try damn thingy for udp scans.... to make them invisible, how can you be sure after they don´t show up, there is activity at all ? just asking. I prefer checking firewall´s log file
-Ari-

 

Bethrezen


I might be wrong here but I think those port 137 scans are comming from hundreds of thousands of different IP addresses.
You would need to write a nice peice of software that would detect the intrusion and instantly ad a block to that IP/
that is if you don't just stop all traffic from that port.

I decided to ret Kaspersky's Anti-Hacker firewall beta again.
I am finding the rules are pretty userfirendly to setup
I am just messiing around with port 137 now.
This is a brand new install of Windows ME and I am getting DLL errors with the new beta. oh oh

 

Would someone be so kind as to bring me up to date on this issue....I've only been back on the net less than a week.
during the time back.....I have not received any...none...scans on port 137...........numerous other scans......none on 137.....a few on port 111.....
I do have a blocker listening on ports 137 tcp and udp...no connection attempts showing.....firewall not being hit...............
numerous NetBios Name hits....could this be what this subject is about ?

Thanks in adcance

snowman

 

LowWaterMark

appreciate you taken the time to reply....I was totally un-awear of the details.....an just read the entire link you provided.
now I am wondering why I am not getting these scans since yesterday.......none today. there never was any port 137 udp connection attempts made on my computer...the NetBios Name scans were all on other ports....FE: port **** to port #### I must be missing something in my understanding of this.

don't really know how to reply to the topic.....sure there are ways of blocking the evil port.........an for every two people that block the port ..20 million wont....an the internet remains jammed..........for every two persons who follow safe computing.......20 million wont.
got to give this some thought.

snowman

 

hi there snowman - 'tis great to read your posts again!

i have been keeping a close eye on my router's log since people first started posting about these scans on port 137, and i am guessing my ISP must be blocking it or something because i have not seen one scan attempt on that port in my router's log. Not complaining though! i don't mind being left out for those scans......but i am curious why so many have gotten them and i haven't seen one.

snap

 

(sorry for the delayed reply.....)



SNAPDRAGIN

so very very nice to see you again.....an will be looking forward to sharing many future posts.


LowWaterMark

once again I am in full agreement with you...I would never use any form of file sharing..........since I have a new IP I've no idea if they are blocking netbios....no matter...I have it blocked......since day one of turning this computer on! Surely these scans must be flooding the pipes of IP's..........it would be to their best interest to block the ports.
this issue really has me thinking......its not a new issue...an therein lies the real issue....imo.
at the moment I am at a lost to comment further...I very much appreciate the topic....


snowman

 

Well initially I was seeing around 200 log entries a day.
Then 300+ and as it approached 400 I got tired of all that crap in the logs.

Solution was to create a rule to block inbound udp 137 No Logging and place it at the top of my rule set. Voila...now my fiewall is not constantly writing to the logs.

With NIS I can see how many times that rule is matched (even though there is no log entry) and it is over 500 per day now

Regards
CrazyM

 

Still...no scans for the past 24 hours,,,,,

last night I noticed that DECOM SERVICES (printer ) listens on ports 135 ,,,1028 tcp.........in fact it can't be blocked...will piggyback outbound on another program ...so perhaps those with a rule based firewall could use this to their advantage,,,,,,by assigning the above ports to the ports of their choice............with netbios disabled.
perhaps the more knowledgeable here can comment on this. if this is possible...an secure....in the future it could be used on other scans.

snowman

 

Isn´t it possible to make UDP 137 appearing for everyone who knows password ? That would cause ofcourse pop up on intruders screen, and if it was a trojan causing that......

Just thinking... you are wiser than me
- Ari

 

Krusty

just a thought......for a pop-up to appear on another person's machine.......would mean that a connection from machine to machine would have to be made..however briefly..........hmmmmmm.....maybe thats not so good...

snowman

 

Snow
If the password is not easy hhhmmm....and the most of attacks are just trojan ones, as I said was only a thought.

 

Krusty

please don't mis-understand.......was caution on my part when commenting...............alot can happen once a machine to machine connection has been established...that a password would not prevent.......

snowman

 

Snow
Sure I know the risk ok......
-Ari

 

UDP 137 probes seems to be stopped today 11.11 2002 for now....
-Ari

 

How does one block ports if you are not running Zone Alarm. I have Sygate Personal Firewall but if there is a way, I haven't figured it out. I also have a router - haven't figured that out either except to block myself. lol

Hey, I'm a writer, sorry.

How do you get Karma around here?

Peace,

 

Hi museheart,

About blocking ports with Sygate PF: check out this site: http://bellsouthpwp.net/i/k/ikpe/SygateBasicsPt2.html especially under Advanced Rules.
About the karma: you need 50 posts to be able to give and receive karma. To increase someones positive karma you click applaud.
And for those two that don't know: The other button is called smite and not smile

Regards,

Pieter

 

Dear Pieter,

Thank you!!!

I am ever so grateful!

Peace,