"Jonathan R. Dundas" wrote:
>
> We see constant connection attempts to port 137 to existing hosts on our
> subnet, even though the attempts are denied. Packets claiming to be from
> Private/reserved source addys are a significant portion of them, maybe an
> average of 1 host a day tries to connect from a private addy. Weird. I've
> been reading this list for about two months ago on and off, has this topic
> been discussed before?
Yes port 137 activity has been discussed here before.
Also look at CERT's current activity page:
http://www.cert.org/current/current_activity.html
It links to a couple of articles on netbios activities.
As others have mentioned there are two main types of port 137
activities. One is the poorly setup PC doing a net bios name
lookup as it's trying to download a web page. The other is a
scan of machines looking for open shares. On my micro subnet
I see about even activity between the two. Almost all the port
137 accesses that I get that only hit my web server's IP# are
in conjunction to web page downloads from the same machine.
All the scans that hit all of my IP addresses have no related
web server activity.
As for what I do with them. I ignore the ones that come in
with web page downloads. All the rest I notify the
ISP/Company/etc where they come from with a relatively stock
letter warning of netbios worms and pointing them to CERT.
--
| Bryan Andersen | bryan@visi.com | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
Received on Aug 03 2000
Intro
