ZA: Alot of attacks at port 137

Discussion in 'other firewalls' started by maes, Jul 16, 2003.

Thread Status:
Not open for further replies.
  1. maes

    maes Registered Member

    Joined:
    Jul 16, 2003
    Posts:
    19
    Hi,

    first of all, I don't know if this is the right forum, if not, I'm sorry :(

    According to Zonealarm, I have alot of attacks on my netbiosport 137.
    in the last 5 days about 1258 attacks :eek:

    I have no idea what's causing it. I scanned with NAV, Ad-aware and spybot search & destroy. none of them found someting

    I used a packetsniffer to see what was going on, but the sniffer didn't find anything on port 137. So ZA is doing a good job and blocking the attacks or ZA is going a bit nuts and is inventing them (I think the first option)
    I have a dynamic IP , so how can they find me? at first I thought that I was sending out a signal of some sort and that's how they find me, but the packet sniffer didn't show anything out of the ordanary. except for one thing. I'm occasionly doing a broadcast on 255.255.255.255. My first guess is that this is my PC looking for a dhcp server somewhere. Bu I have no dhcp server running, so how can I turn this off?

    So my question: what are all these attacks about? they really got me worried.

    thanks

    Maes
     
  2. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Hi Maes.
    Hard to answer straight away because I really don´t know what do you do on your puter, for example do you play online games, do you share your files, do you download alot of stuff from some network (etc questions). The more you do on the net, the more attacks you will have, thats a fact. And do you chat often in chat rooms; there are "ravens of the net" ready to hack, and crack your puter.
    UDP137, file and printer sharing network....you should consider to turn it off and cut off the bindings as Steve Gibson advices .....just don´t do it if you are unsure you might need it, if you have a virtual networks you might need it ok. but anyways .....here is Steve Gibsons very popular site where to start studying:
    http://grc.com/su-bondage.htm

    friendliest -Ari


    PS. here you see is your DHCP on or off:
    http://support.ycn.com/www/einwahl/gd3anleitung/wldhcpandwep.htm
     
  3. maes

    maes Registered Member

    Joined:
    Jul 16, 2003
    Posts:
    19
    Hi,

    thanks for the quick reply.

    I do no filesharing, no online games except for tetrinet, no chatrooms.
    About the file and printersharing: I have one desktop pc and one portable, if I want to copy files from one to an other, I need the file and printersharing right? (I'm pretty new at this ;) )

    I the mean time, I used the cleaner (found it on the main site) and that didn't say anything.
    I allready did the shields up and the leaktest on grc.com a while ago, that was also negative. (going to do it again right after this post)

    Maybe a nice and clean format c would help, who knows.

    BTW: that's a very intersting article on grc that you showed me , thx ;)
     
  4. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Maes.....
    many times format c helps as long time as you do the same things which leads to the same situation....I mean you should stick on what you got and research and learn more :), if only your puter works fine.

    Ari
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi maes,

    This is likely regular background noise from the internet by people infected with one of any number of NetBIOS spread viruses. This has been going on for some time though, so if you have had your system / firewall up for sometime without having made any changes and all of a sudden you see a major increase then you really need to assume that you are infected with one of these viruses and what you are seeing is the return traffic.

    It might help to see a brief section of your firewall log (but please paste that snippet in your notepad and change your IP before pasting it here)

    Thanks,

    Dan
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Yes! I agree with Krusty that you should hold off on formating til we get a clearer picture!
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Maes, welcome!
    I keep it that it is the internet noice too; long time i was able to suppres the UDP 137 from logging till a next ZAPro update dus not enable that anymore so i get miles long logs from that too now.
    If you want to see if there is traffic in and out, you might like to install Port Explorer,
    www.diamondcs.com.au/portexplorer where even the free evaluation version shows you traffic and enables spying on the packets.
    You can see in the blink of an eye if there would be anything suspicious and it shows where the traffic comes from, very nice!
    Another one TDS same website, after install update the scan databases from the site and scan all and see if anything would need attention. For the UDP 137 by it sounds not.
    With TDS you also have the nice option in TDS > Network > TCP Port Listen to set it on port 137 and see what would be coming in there. Probably nothing, as your firewall blocks it, unless you would unblock that port 137 to see what comes in.....
    For the ZA excist a few nice logfile analysers, of which you might like VisualZone, which analyses and traces the portscans for you. www.visualizesoftware.com (free tool)
     
  8. maes

    maes Registered Member

    Joined:
    Jul 16, 2003
    Posts:
    19
    here's a piece of my log:
    the source IP's are all diffrent. and as you can see, the time between an attack is about a minute. Isn't that a bit much to be background noise?

    And if it is a virus, how come Norton antivurs doesn't say anything? I scan everything that commes in mto my computer (email and files) and do a full check every week and allways download the updates.

    I used commview( trial version) to scan wath was going on on port 137 and he commview didn't detect anything. I'll give the portexplorer a try tomorow, and I'll try to turn of ZA and see what portexplorere says about port 137

    about the logfile analysers, I use zonelog analyser

    thanks for all the replys guys, I appreciate it

    --Maes
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    One of the first things viruses try to do is disable the local AV. Anyways, the traffic you see is characteristic with the background noise

    If you refer to the port stats on dshield

    http://isc.incidents.org/port_details.html?port=137

    You will see that there are typically 3 million such packets reported daily.

    As a precaution you may want to try an online scanner such as

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    but it really appears as if the logged traffic is just the wretched refuse of the internet :)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Zonelog analyser is nice too, i have them both (i always first start with recommending free tools if available and good for the job :) )
    Not turn off all ZA, only allow temporary that port.
    No, there will not be found anything on your system, it's others being probably infected and spitting out their joy on everybody's ports.
    If you would paste one of the IP addresses into the DShield IP info you might see lots of hits from them.
    www.dshield.org
    My logs really look the same!
    In the meantime i see my posting crossed Dan's, hi Dan, and see we're on one line (of course).

    See here one of the infected ones in my log at Dshield's:
    IP Address: 142.163.xxx.xxx
    HostName: 142.163.xxx.xxx
    DShield Profile: Country: CA
    Contact E-mail: wcase@xxx.xxx
    Total Records against IP: 584
    Number of targets: 581
    Date Range: 2003-06-17 to 2003-07-16
    Top 10 Ports hit by this source:
    Port Attacks Start End
    137 584 2003-06-17 2003-07-16
    So that person is causing un-nice traffic, and probably not much online as i have seen far higher ranges.
    This is only what was reported via VisualZone or otherways about this IP address, so the real amount can be far higher till that amount at least a day or more!
     
  11. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I agree w/Dan.

    FWIW, my logs look similar. Most "stops" being made in my ZA logs show hits on 137. Unless you have Netbios running wild, you *shouldn't* be unduly concerned.

    However, I agree that you should "touch all the bases", as covered by the experts here.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You see:
    FWIN,2003/07/16,12:42:24 +2:00 GMT,64.219.xxx.xxx:1030,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:43:46 +2:00 GMT,80.33.xxx.xxx:58060,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:44:08 +2:00 GMT,213.77.xxx.xxx:1025,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:45:00 +2:00 GMT,142.154.xxx.xxx:1134,xxx.xxx.xxx.xxx:17300,TCP (flags:S)
    FWIN,2003/07/16,12:45:48 +2:00 GMT,81.86.xxx.xxx:1029,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:46:56 +2:00 GMT,80.50.xxx.xxx:1028,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:47:08 +2:00 GMT,218.87.xxx.xxx:1029,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:49:18 +2:00 GMT,218.15.xxx.xxx:1025,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:49:42 +2:00 GMT,62.29.xxx.xxx:1085,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:50:16 +2:00 GMT,66.72.xxx.xxx:1030,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:57:52 +2:00 GMT,210.241.xxx.xxx:1027,xxx.xxx.xxx.xxx:137,UDP
    FWIN,2003/07/16,12:58:04 +2:00 GMT,218.10.xxx.xxx:1028,xxx.xxx.xxx.xxx:137,UDP
    FWOUT,2003/07/16,12:59:08 +2:00 GMT,xxx.xxx.xxx.xxx:137,210.241.xxx.xxx:137,UDP
    FWOUT,2003/07/16,12:59:16 +2:00 GMT,xxx.xxx.xxx.xxx:137,218.10.xxx.xxx:137,UDP

    on a quiet moment.......
     
  13. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    As others have noted, there are a lot of Port 137 scans out on the net due to various worms that are out there seeking vulnerable PC's to infect. So your observation is not unique and doesn't mean that there is anything wrong with your set up. Increases in such scans have been also noted by others in other security related forums. So just because you are seeing an increase in itself does not mean that your PC has been infected or compromised.

    These port scans are like sonar, going out blindly across the net seeking return responses from vulnerable machines. What that means is that they are not directed specifically at you, just that your IP is included in the range of IP blocks they are scanning. Think of someone using a remote control on a cable TV looking for something interesting to watch, letting the remote run through the various channels from 1 onward, scanning through the channels to see if something comes up on the sreen that they are interested in.

    If you wish, run port scans to confirm that your ports are not open at a place such as this: http://nanoprobe.grc.com/ and download and run an anti trojan like Trojan Hunter or TDS to double check and ease your peace of mind. (If you do download a trial version of these apps make sure to update the signature database before you scan. With TDS I think you have to go to the site and download the updates manually.) You can also run online AV scanners like McAfee's for example: http://www.mcafee.com/ and I think Panda has one also. Can't remember all the others available.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I was just reminded it is possible in the new ZAPro 4 to use the expert rules per port to decide of you want them in the logfile or not, while they keep being blocked.
    You might like to try that for this port 137?
    In the former versions i ran a script some of the TDS family was so nice to script for us which kept TDS listening to that port and so no logs were registered at all for it: it means TDS served as an emulator for that possible infection and if i would have unblocked that port would have been able to communicate with the "thing".
    But ZAPro 4 functions differently so that will be using the expert rules and save kilometers long log files!
    The traffic will show up in Port Explorer with the country beside it, nice! And you could decide to block it if you really like.
     
  15. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi Maes
    First of all ZA is blocking traffic on port 137 so you are safe. As long as the port hammering comes from different IP's, you shouldn't be concerned, as been said before, you can concider this as background noise. If you get tierd for al those firewall logs: the latest version of Zone Alarm has an expert mode where you can disable logging on a certain port (I don't know about the freeware version), if this doesn't help you may want to enable an application to listen on port 137 UDP and let it dump any traffic, then tell ZA not to block that traffic....
    TDS-3 is capable of doing this and PE should be able too(I don't know for sure, I'm not using PE), and a number of other programs are capable to do so.
    Dolf
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Jooske and Dolf have described the two exact methods I've used in the past to suppress all those incoming UDP port 137 packets.

    For a while I used a free port listener (PortPeeker (link)) which I set to monitor all incoming UDP port 137 packets. That allowed me, if I wanted, to take a quick look to see if I was getting a large or small number of these, and it allowed also to see a separate list of the source IPs, again, just for spot checking if I was interested in seeing how that traffic was doing.

    Well, finally I decided this was wasting my time since there wasn't anything I could do about them anyway, and, because the new version of ZAP and ZA+ 4.0 included the ability to control logging at a detailed level with the new expert rules, so I just decide to block these (and two other common worm ports) without logging.

    For those that don't know about ZAP's background. There used to not be too many logging options. It was log everything, log only what Zone Labs considered "high" security events, or log nothing at all. Well, I still want to see the other traffic being blocked, all of which is far less frequent and perhaps more interesting than 200 or more 137/udp messages a day.

    So, I created the rule shown in the image below. The key points in that image are: 1. Action is set to "Block", and 2. Track (which is the logging control) is "None".

    In any case, this is just another option. But, as stated above, this feature is only available in the new paid versions of ZAPro or ZAPlus.
     

    Attached Files:

  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi maes

    Port 137 scans are one of the most frequent you will see show up in your logs. This will be for any number of reasons: misconfigured systems, not so nice people looking for vulnerable systems and in particular because of some recent mass mailing viruses and worms.

    They are nothing to be worried about, your firewall is just doing what it is supposed to :). I would normally see 500+ of these per day at it's peak.

    The easiest thing to do is just ignore them.

    If your firewall has the ability, create a block - no log rule, as LWM suggested. Does your logging utility for ZA provide the option to ignore things like this? (I configure the logging utility for my router/firewall not to log inbound udp to port 137)

    ...putting on devil's advocate hat :rolleyes:
    Allowing these packets through the firewall to a listening application (TDS, PortPeeker) may help in reducing your logs, but defeats the purpose of having the firewall - to block unsolicited traffic and not allow it to enter your system/network. Unless you have a particular need or reason to monitor these packets, let the firewall do it's thing.

    Regards,

    CrazyM
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Very true! But, if we always did the right thing it wouldn't be as much fun. :D
     
  19. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    btw when you intercept those packets and dump them, you're doing the exactly the same what a firewall does in stealth mode.
    Dolf
     
  20. maes

    maes Registered Member

    Joined:
    Jul 16, 2003
    Posts:
    19
    Hi,

    sorry for th e late reply, but I've been a bit busy.

    I tryed the online scanner from panda, and it found nothing :) So now I'm convinced this is only background noise.

    I don't have ZA pro, only the free version. I can only choose between High, medium or low
    Now the internet firewall is on high and the network part is on low.
    But I have a webserver running and occasionaly host a tetrinet server. When ZA is in high mode, no one can get on the server. So can I risk it to put ZA on medium? because I need port 80 to be open and I can't choose individualy which port to be open or closed.
    I'm only a student and I would prefer to spent my money on other things then a firewall. So what is your advice. Can I risk it to put ZA on medium (is there a big diffrence in security between high or medium) or is it money well spent on the firewall?
    I don't hang out on hacker sites , IRC or stuff like that. Only a few programming forums and the occasionaly google search and surf thing. So I'm not the kinda guy who's giving info away and looking for trouble, but what are the chances that trouble finds me?

    thanks

    edit: Is the zoneAlarm website offline? all I get is a blank page (no 404, nothing)
    http://www1.zonelabs.com/
     
  21. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    You leave the security settings the way you want. Just give the server programs server rights in ZA.
    Dolf
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi maes,

    If as Dolf suggests, giving the web server and tetrinet server programs server rights works, allowing full functionality for those you want to grant access to, then by all means, leave the firewall set to High for the Internet Zone.

    If it doesn't work, but setting it at Medium does, then that ought to be okay. At Medium, ZAF still blocks things like NetBIOS and RPC from the Internet, and Program control is uneffected by lowering the firewall setting, so your outbound protections remain the same. You could set ZAF to Medium just when you want to allow people access to these servers and then return it to High.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I always have the trusted zone on medium as well.
    A former version of ZAPro could only run in medium for me because of the ADSL connections, and i never felt really nice with that; now the newer versions are on high all time i feel so much better!
    Even though i have to change the way of suppressing the UDP 137 alerts, but that's ok to me :)
    With VisualZone on, i see also lots of outbound UDP 137 traffic for all the automatic backtraces duhh! :)
    So maybe in the 500 logged lines are 3-10 different ones in general, of which only 1 or 2 need further attention, so why waste energy on all those 137 things?
     
  24. maes

    maes Registered Member

    Joined:
    Jul 16, 2003
    Posts:
    19
    again sorry for the late reply :oops:

    you guys have been of great help to me.
    I can sleep on both ears now (if you say that in english :D)

    thanks

    maes
     
  25. thehulky1

    thehulky1 Registered Member

    Joined:
    Aug 2, 2003
    Posts:
    1
    I think you will find if you do dns lookups on the offending addresses that they are your isp,s core that runs the isp and tracks you if it so desires. The more of these you get the more their keeping an eye on you in your computer.
    see new topic: Max Sec FW Rules okay!!!
     
Loading...
Thread Status:
Not open for further replies.