marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs:
| File sharing app using netbios??
I've been getting many of these alerts from ZAP the past few days. Not a problem, as don't use NetBios, but just wondering what is going on out there.
Is there a new file sharing app out there that uses port 137, or???
The firewall has blocked Internet access to your computer (NetBIOS Name) from 151.203.18.222 (UDP Port 1065). |
|
New Years$
join:2001-12-20 | Is there a new file sharing app out there that uses port 137
Not any that you should not be in full control and no one else. Why do you specifically state that port. |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs:
| reply to marti
I mentioned port 137, as the NetBios alerts from ZAP list it in the actual log file.
FWIN,2002/03/07,18:21:49 -6:00 GMT,151.203.18.222:1065,65.xx.xx.xx:137,UDP
I asked the question because I have been getting many of these alerts lately, and just wondered what is going on out there in cyberspace. For example, I have learned what port the music pirates use, so it's explained. Thought maybe the pirates are now using a new program that uses port 137.
[text was edited by author 2002-03-07 20:00:40] |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to marti
I get attempts to connect to the NetBios ports from time-to-time, but I don't think much of it -- just internet background noise. Since your firewall is accurately reporting and blocking these attempts, you're safe -- not to worry. Also, I've followed Steve Gibson's instructions about unbinding NetBios from the TCP/IP protocol. |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs: | Hi Randy,
Not worried, just curious as to why the sudden and frequent activity. I do not have NetBios listed in the properties for any TCP/IP adapters. |
|
New Years$
join:2001-12-20
| Well Marti, I can not tell you much you do not already know . I have not heard anything special on 1065 so here is the usual and we will all keep an eye on it.
»www.dshield.org/ports/port137.html
»www.seifried.org/security/ports/137.html |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs:
| Thanks New Years. Will find something more important to worry about.  |
|
OzarkMan$
join:2000-12-22
Ozark Mtns. | reply to marti
marti....do you receive a new IP frequently ?
If so....the former owner of your IP could have been into file sharing. |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs: | reply to marti
Hi Ozark Man,
I have a dynamic IP address with SBCGlobal (SWBell) ADSL. Each time I disconnect/reconnect, I get a new IP. Looking back over the ZAP log, I received alerts for UDP port 137 on several different IP addresses. |
|
New Years$
join:2001-12-20 | reply to OzarkMan$
what kind of file sharing is on that port? |
|
OzarkMan$
join:2000-12-22
Ozark Mtns. | John....I wasn't referring to file sharing as in MP3 file sharing but open port 137 where someone would be looking to file share by doing a NetBIOS query request to UDP port 137. |
|
New Years$
join:2001-12-20 | OK..See I never did know what kind of file sharing they would do on that except LAN stuff..I was hoping you knew about so stuff I had not run into yet..I think I have to hit the books.. I read all about Samba but still do not understand all of it> |
|
Lingus
U.S. Navy AE3
Premium
join:2001-10-04
Greensburg, PA
clubs:
| reply to marti
marti port 137 is used by the netbios naming service. Netbios is used by your computer and other computers to broadcast computer names out to the internet. It does this to help aid in ip and computer name discover. It works basically like this when you turn on your computer your computer sends out a message like this "hello my name is PChomeuser." Then other pcs respond back and it is a way the computer uses to find other computers on the network. I would call this internet background noise.
--
NOTICE: My post does not contain any subliminal messages. All messages from the Devil will be displayed clearly in straightforward Standard American English. |
|
notdedyet
join:2000-08-28
Littleton, MA
| On a network there is a very good reason for doing this; it is how duplicate names are avoided. Your computer broadcasts its name on startup and then listens for another computer to respond saying that it already owns that name. (BTW the same message is sent out by servers for domain names; you can't have a computer with the same name as an NT Domain.)
This is very important for NetBIOS networks, but does not belong on the wider Internet. So if you get one of these from the Internet, it is a sign of a poorly configured system or LAN.
--
"for it is always the person not in the predicament who knows what ought to have been done in it, and would unquestionably have done it too" - Charles Dickens |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs: | Hmmm. Thought I had things set up properly for ADSL. One computer, no router, using the PPPoE s/w that SBCGlobal requires. Have not changed anything in days, so am puzzled as to why the sudden onset of "hits" on port 137. |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs:
| reply to marti
sorry...
[text was edited by author 2002-03-07 23:56:00] |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs:
| reply to marti
Cute, very cute:
C:\WINDOWS>netstat -a -n
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING
TCP 65.69.x.xx:137 0.0.0.0:0 LISTENING
TCP 65.69.x.xx:138 0.0.0.0:0 LISTENING
TCP 65.69.x.xx:139 0.0.0.0:0 LISTENING
TCP 192.168.1.10:137 0.0.0.0:0 LISTENING
TCP 192.168.1.10:138 0.0.0.0:0 LISTENING
TCP 192.168.1.10:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:6666 *:*
UDP 65.69.x.xx:137 *:*
UDP 65.69.x.xx:138 *:*
UDP 192.168.1.10:137 *:*
UDP 192.168.1.10:138 *:*
The 666x-666x is my APC UPS. The 192.168.1.10 traces back to my computer, but I have no idea where it is specified. I got ADSL connected in mid-December, so am still a ADSL newbie. |
|
Lucif4
Premium
join:2000-12-12
clubs:
| It looks to me you need to look back at your network configurations. You have NetBIOS enabled. Verify at Shield's Up (Test my Shields) or at DSLReport's Shield Probe
You might want to read over: GRC Bondage Page, NetBIOS: Fact and Fiction, and/or Symantec's NetBIOS page
[text was edited by author 2002-03-08 01:19:32] |
|
marti
Color outside the lines
Premium,MVM
join:2001-12-14
Houston, TX
clubs: | Hi Lucif4,
I have checked my settings several times. Can't find it. However, it may be in the EnterNet s/w that I have to use to connect to SBCGlobal. |
|
Lucif4
Premium
join:2000-12-12
clubs:
|  Q: Does EnterNet bind to the NetBIOS interface?
A: The NetBIOS interface does not bind to the PPPoE adapter. It binds to a protocol, normally the MS TCP/IP or NetBEUI protocols. The distinction is important, under the Windows networking interface structure, adapter, protocol, and service components are concerned only with the layer immediately above or below itself. EnterNet PPPoE is installed as a network adapter.
To check bindings:
From the Network Properties in the Control Panel:
Windows 95/98 systems:
1. Select the protocol labeled TCP/IP ->EnterNet
2. Click on the Properties button, then the Bindings tab
3. Uncheck every box that's listed in the bindings. This would usually be the Client for Microsoft Networks, but it could also include File and Printer sharing for Microsoft networks and any other service-based application that would bind to the TCP protocol over our adapter.
4. Do the same for every protocol that binds to the EnterNet Adapter, such as NetBEUI -> EnterNet or IPX/SPX -> EnterNet. |
|
