Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Port 137 scan Info

1 view
Skip to first unread message

Tie Dye

unread,
Sep 29, 2002, 9:18:30 PM9/29/02
to
Some Info Here,
http://isc.incidents.org/
"2002-Sep-29... current status: green Yet another mod_ssl worm (analysis
coming soon). Scans for port 137 on the rise." Quoted from ISC.
TD


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/02


Mark Samson

unread,
Sep 30, 2002, 12:15:47 AM9/30/02
to

"Tie Dye" <i~fly~vfr~@worldnet.att.net> wrote in message
news:GDNl9.61299$1C2.2...@bgtnsc04-news.ops.worldnet.att.net...

Thanks for posting this. Several of us have been receiving hundreds of these
port 137 scans in the grc.security newsgroups


Douw Gerber

unread,
Sep 30, 2002, 9:56:00 AM9/30/02
to
I work for an ISP in SA and we also have numerous clients generating
this Port 137 traffic as of this monring.

Unfortunately the security and anti-virus sites are not saying
anything yet so at the moment what ever is casuing this is unknown.

Robert R Kircher, Jr.

unread,
Sep 30, 2002, 10:11:54 AM9/30/02
to

Port 137 is NetBIOS Name Service so my guess is that someting/someone is
seaching out networks that have NetBIOS installed and looking for computer
names maybe in an attempt to connect to those computer.

A pure guess on my part... I explicitly denied 137 on my FW jut to be on
the safe side.


--

Rob


Douw Gerber

unread,
Sep 30, 2002, 10:23:14 AM9/30/02
to
Yip we are also blocking on the client routers but this is obviously
very time consuming.

Could it be another SSL variant - I think not as we are seeing Windows
workstations being infected.

On Mon, 30 Sep 2002 01:18:30 GMT, "Tie Dye"
<i~fly~vfr~@worldnet.att.net> wrote:

Mark(un-MASK)Forsyth

unread,
Sep 30, 2002, 10:29:20 AM9/30/02
to
On Mon, 30 Sep 2002 15:56:00 +0200, Douw Gerber <do...@msn.com> gushed forth:

>I work for an ISP in SA and we also have numerous clients generating
>this Port 137 traffic as of this monring.
>
>Unfortunately the security and anti-virus sites are not saying
>anything yet so at the moment what ever is casuing this is unknown.

There's a _little_ bit getting around about it but not much. About all
I've been able to glean is that port 137 UDP traffic is on the rise
http://isc.incidents.org/ has a bit of a blurb. But you already
knew that.

So far about the only thing that can be said for sure is that they're
not genuine netbios-ns lookups. if they're legit the broadcast bit is
not set and the source port is 137. In all cases the appearances in
my logs[1] have the broadcast bit set and the source port is mostly
between 1025 and 1036. The other thing of note that I've seen is that
the rate of hits is increasing.

Interesting indeed. I too wonder what it all means. A honeypot on a
well connected network could perhaps provide some interesting stuff...;-)

[deletia]

[1] My connection is via Optus cable and Optus block many things
so I can't say for sure if I'm seeing the "real deal(tm)".

--


Ooroo
Mark F...

Another Optus Cable Traffic Monitor.
http://www.members.optushome.com.au/forsythm/traff/

Tie Dye

unread,
Sep 30, 2002, 1:07:25 PM9/30/02
to
Hello All,
Well it seems that it is a backdoor being propagated via Windows
file sharing.This is unofficial but that what it would appear. Those
that have shut down port 137 and are using a firewall will be OK. Those
that don't will have a new file to find and remove !!
Regards,
Tie Dye.

taharka

unread,
Sep 30, 2002, 1:56:12 PM9/30/02
to
"Douw Gerber" <do...@msn.com> wrote in message
news:kgngpu06v61dmf27a...@4ax.com...

> Yip we are also blocking on the client routers but this is obviously
> very time consuming.
>
> Could it be another SSL variant - I think not as we are seeing Windows
> workstations being infected.

Did you mean Windows workstations affected instead of infected?? It could
very well be another SSL variant. This worm is not particular as to the OS
on the workstation/server till it finds what it's looking for. Code
Red/Nimda showed up in logs on nearly every OS out there!! Nothing to worry
about on a properly patched $MS box or Unix/Linux boxes.


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).

Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/2002


Mark(un-MASK)Forsyth

unread,
Sep 30, 2002, 10:12:33 PM9/30/02
to
On Mon, 30 Sep 2002 17:07:25 GMT, Tie Dye <i~fly~vfr~@worldnet.att.net> gushed forth:

>Hello All,
> Well it seems that it is a backdoor being propagated via Windows
>file sharing.This is unofficial but that what it would appear. Those
>that have shut down port 137 and are using a firewall will be OK. Those
>that don't will have a new file to find and remove !!


I'm very nearly convinced that it's
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_OPASOFT.A&VSect=T

Have a read of:-
https://grc.com/x/news.exe?cmd=article&group=grc.security&item=59379&utag=

Beware wrapping URL's

Lik Mai Sak

unread,
Oct 1, 2002, 3:46:25 AM10/1/02
to
Douw Gerber wrote:

> Yip we are also blocking on the client routers but this is obviously
> very time consuming.
>
> Could it be another SSL variant - I think not as we are seeing Windows
> workstations being infected.

www.symantec.com.
Click the two latest security alerts on the left side of the page.
E.


Dave English

unread,
Oct 1, 2002, 3:54:42 AM10/1/02
to
In message <hx%l9.62412$1C2.2...@bgtnsc04-news.ops.worldnet.att.net>,
Tie Dye <i~fly~vfr~@worldnet.att.net> writes

>Hello All,
> Well it seems that it is a backdoor being propagated via Windows
>file sharing.This is unofficial but that what it would appear. Those
>that have shut down port 137 and are using a firewall will be OK. Those
>that don't will have a new file to find and remove !!

Indeed

<URL:http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.
worm.html>
<http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm
.html>

and

<URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbug
traq&F=P&S=&P=72>
<http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq
&F=P&S=&P=72>

Regards
--
Dave English,
Client Software Development, Thus PLC,
Dorking Business Park, DORKING, Surrey, UK. RH4 1HJ
http://www.thus.net

Mark(un-MASK)Forsyth

unread,
Oct 1, 2002, 4:07:27 AM10/1/02
to
On Tue, 01 Oct 2002 17:46:25 +1000, Lik Mai Sak <cuddly...@yahoo.com> gushed forth:

Unlikely to be W32/Bugbear. None of the hosts that I have a recent log entry
for and that are still online have port 36794 open.

It's possible that it is what Symantec are calling W32.Opaserv.Worm. See :-

https://grc.com/x/news.exe?cmd=article&group=grc.security&item=59379&utag=

and

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASOFT.A

Mark(un-MASK)Forsyth

unread,
Oct 1, 2002, 8:59:33 AM10/1/02
to
On Tue, 01 Oct 2002 12:35:14 GMT, Leythos <vo...@nowhere.com> gushed forth:
>I logged more than 440 port 137 scans yesterday - I log everything to a
>database and run reports daily. I had not seen 137's like this a week
>ago.
>
>I'm on Road Runner in Ohio.
>
>Anyone else seeing the source?

Don't sweat the details. Just throw all traffic from commonly used
NetBIOS ports on the floor. Have a look at:-
http://isc.incidents.org/analysis.html?id=170
and visit the two links under Bugbear and Scrup.
Since 26-Jun I've seen 2,453 hits from 2,343 unique addresses. The rate of
hits has risen to something of a crescendo over the last few days.
Have a look at the graph at :-
http://isc.incidents.org/port_details.html?port=137

Also have a look at :-
http://members.optushome.com.au/forsythm/traff/traffanal_w.htm
The rise in the "Bytes DENIED by Firewall" is solely attributable
to the port 137 UDP hits. The usual clutter has remained normal.

0 new messages