Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port 137

Status
Not open for further replies.
JeffHicks

JeffHicks

Technical User
Oct 7, 2002
131
US
I have been checking my firewall logs lately and I seem to get a lot of incoming attempts at port 137. I know this is somehow connected to Windows communication, but can anyone tell me specifically what these folks are trying to do? Thanks.
 
Sort by date Sort by votes
Saw this as part of a write up on Bugbear at
it could be related.

Second, Bugbear spreads quickly. All it needs is one vulnerable system to gain a foothold on a network. Once it infects the vulnerable system, it can spread to other computers--and even printers--via open NETBIOS file shares on port 137. Since users frequently share files over networked systems, the worm can infiltrate very fast. If Bugbear tries to spread to a shared network printer, it causes the printer to spew gibberish, such as one line printed on dozens of sheets of paper. Last year's Nimda affected printers, too.
 
Upvote 0 Downvote
Thanks for the reply. My firewall is blocking it, so I am not afraid of it succeeding. I was just curious if I could/should report the offenders for trying to hack or what. If Bugbear is causing it, based on that article, they have enough problems to deal with on their own.
 
Upvote 0 Downvote
The offenders are probably infected victims themselves, so I would recommend trying to contact them and let them know they're infected, but I wouldn't assume malice on their part.
-Steve
 
Upvote 0 Downvote
I've been getting allot of connection attempts to port 137 even before Bug Bear. I believe Nimda was the most popular cause of this in the past, and Bug Bear just made it worse.

Sometimes when I'm bored, I go through my logs and try to connect to the people that tried to connect to my computer. When successful I put a text file on their desktop saying that they have a virus and that their computer tried to infect mine. Most of the people will have a ~79k .eml file if they are infected with Nimda. One time somebody even saw the text file appear on their desktop, and they typed "who are you" in it and saved the file. So we talked back and forth be re-editing the text file on his desktop :p

Anyways, I can connect to over 90% of the computers that are trying to connect to me if I try to connect to them right away. Since a hacker would know not to have netbios enabled, I know it's not somebody trying to hack me. Anymore I just ignore the attempts, and I would suggest most people to ignore them as well. Just keep your firewall up, Security patches installed, and AV software updated.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
676
XLNTech1
XLNTech1
Impersonator
  • Locked
  • Question
UDP Hacking port 53
Replies
1
Views
334
RodneyMcSnow
RodneyMcSnow
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
300
iggsterman
iggsterman
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
226
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
203
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top