Re: PORT 137

From: Tim Yocum (timat_private)
Date: Tue May 29 2001 - 19:50:46 PDT

  • Next message: David Luyer: "Re: UDP scan from DNS server?"

    Jamie,
    
    Port 137 is part of Windows' NetBIOS service, used by Windows
    machines to resolve WINS names and such.
    
    Those entries probably are there because folks are using nbtstat
    to see what's open on that machine, or they're resolving its Windows
    machine name.
    
    There's a .vbs worm about a year old that causes a lot of port 137
    connections/lookups, but I'm not sure if it's still as hot now as
    it was back then. If you see connections to port 139 as well as 137,
    I'd be a bit more concerned as that would tend to indicate someone
    is trying to access any open shares on that host.
    
    - Tim
    
    In previous mail, Arnold, Jamie said:
    > 
    > 
    > We've seen a large amount of connection attempts to a specific machine here.
    > We're using FlowData to pull this info.  Anyone have any ideas of what this
    > may be?
    > 
    > Thanks
    > 
    > Jamie 
    > > 
    > > 000d 128.226.189.170  0022 66.24.217.4       11 89   89    1  
    > >         78
    > >     
    > > 0
    
    *snip*
    



    This archive was generated by hypermail 2b30 : Tue May 29 2001 - 21:40:08 PDT