Sudden torrent of ZoneAlarm alerts re: UDP port 137 - Any ideas?
JMSteele
hundreds) stream of ZA alerts regarding attempts to access UDP port
137. While many of these are repeat scanning attempts originating from
a handful of IPs from within my own qwest.net domain, most are from
unique IPs from domains all over the globe. Almost all of the source
IPs are using port 1025 or 1026.
I've had this account and operated ZoneAlarm for well over a year and
this has never happened previously. Ran Trojan Remover and found
nothing, but still can't help but being paranoid.
Any ideas on what this might be?
Thanks
Tie Dye
The port 137 UDP attemps are being reported by many others in
different NG's. I'm seeing the
same thing in my logs also.I'm seeing a range of source ports from 1024
to 1028 and 1 on 1032.I'm am also getting some from my own domain and
also alot from Asia. This started saturday morning and has picked up
since. here is a link to some info on the rise of Port 137 scans.
http://isc.incidents.org/
"2002-Sep-29... current status: green Yet another mod_ssl worm (analysis
coming soon). Scans for port 137 on the rise." Quoted from internet
storm center.
Regards,
Tie Dye
"JMSteele" <jmst...@qwest.net> wrote in message
news:73d56acc.0209...@posting.google.com...
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/02
CountryHouse
using a Sonicwall SOHO. I have also noticed pretty much constant ip spoof
detection alerts for port 137. I am hoping that all is well at this point,
but I must admit that this makes me uneasy.
Are there other precautions I should be taking?
John Watson
"Tie Dye" <i~fly~vfr~@worldnet.att.net> wrote in message
news:lBNl9.61297$1C2.2...@bgtnsc04-news.ops.worldnet.att.net...
Tie Dye
Well it seems that it is a backdoor being propagated via Windows
file sharing.This is unofficial but that what it would appear. Those
that have shut down port 137 and are using a firewall will be OK. Those
that don't will have a new file to find and remove !!
Regards,
Tie Dye.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/02
"CountryHouse" <countr...@comcast.net> wrote in message
news:0r%l9.383126$5r1.18...@bin5.nnrp.aus1.giganews.com...
m
from port 1025 but sometimes in the range 1020-1030.
It has been happening since almost exactly 19:00UK on Friday 27th September.
It has shown up on our main PC running W98 which has the ISDN modem to
connect to Internet and also on a Wireless connected Dell Laptop also W98.
In order to try and trace things, we connected the ISDN modem direct to the
laptop and the internet - same thing happened.
Then brought in another Sony Laptop running W2000 professional where that
software had never been connected to the home network (it is a dual boot
system with W XP) - same thing happened.
All this time Zone Alarm has captured the intrusions.
In order to finally prove what is happening, we got out a very old PC
(Pentium 1 75MHz but with overdrive 120MHz chip in it running W95) which had
not been used in the last 9 months and connected that. Initially to our
standby ISP and there were 3 intrusions in an hour. We then connected to our
normal ISP and got 4 intrusions in 20minutes.
Looking at the Zone Alarm log, the source computers trying to get in are
sometimes shown as real recognisable IP adresses and sometimes as names -
presumably these are machines with networks connected and these are the
network names.
We have also gone through the Symantic Trojan removal routines for W32 Bug
Bear worm and W32.Opaserv worm and those were not found on the PC.
All in all it is very confusing. People say that port 1025 is used by
Blackjack gamers. I wonder if there is some special blackjack server
somewhere that is faulty and trying to connect to ramdom IPs?. It certainly
seems as if it is nothing on any of my PCs causing it.
(By the way I have just had 8 intrusions in the last 30minutes)
Come on all you geniuses out there - lets get to the bottom of this!!
Mike
The Other Guy
up and say something, The Other Guy responded to a post from "m"
<caw...@lineone.net> who wrote in comp.security.firewalls:
-->We too have been getting loads of intrusions to Port 137 from
people mainly
-->from port 1025 but sometimes in the range 1020-1030.
-->It has been happening since almost exactly 19:00UK on Friday 27th
September.
-->It has shown up on our main PC running W98 which has the ISDN modem
to
-->connect to Internet and also on a Wireless connected Dell Laptop
also W98.
-->In order to try and trace things, we connected the ISDN modem
direct to the
-->laptop and the internet - same thing happened.
-->Then brought in another Sony Laptop running W2000 professional
where that
-->software had never been connected to the home network (it is a dual
boot
-->system with W XP) - same thing happened.
-->
-->All this time Zone Alarm has captured the intrusions.
-->
-->In order to finally prove what is happening, we got out a very old
PC
-->(Pentium 1 75MHz but with overdrive 120MHz chip in it running W95)
which had
-->not been used in the last 9 months and connected that. Initially to
our
-->standby ISP and there were 3 intrusions in an hour. We then
connected to our
-->normal ISP and got 4 intrusions in 20minutes.
-->
-->Looking at the Zone Alarm log, the source computers trying to get
in are
-->sometimes shown as real recognisable IP adresses and sometimes as
names -
-->presumably these are machines with networks connected and these are
the
-->network names.
-->
-->We have also gone through the Symantic Trojan removal routines for
W32 Bug
-->Bear worm and W32.Opaserv worm and those were not found on the PC.
-->
-->All in all it is very confusing. People say that port 1025 is used
by
-->Blackjack gamers. I wonder if there is some special blackjack
server
-->somewhere that is faulty and trying to connect to ramdom IPs?. It
certainly
-->seems as if it is nothing on any of my PCs causing it.
-->
-->(By the way I have just had 8 intrusions in the last 30minutes)
-->
-->Come on all you geniuses out there - lets get to the bottom of
this!!
-->
-->Mike
I'm just catching up reading up on posts over the last few days, and
there is a thread from today in which I was talking about this.
Subject line misidentifies the port, but is called "Port 1025".
Tie Dye has it right, I believe, that there is a rise in attacks over
the last little while, and all you can really do is batten down the
hatches (close 137, if possible, and make sure your firewall is
running).
See Tie Dye's reference at
http://isc.incidents.org/analysis.html?id=170
There was a vulnerability on that port (a NETBIOS DOS attack) that
surfaced last month, and speculation is that it might be the same
thing, or even a new exploit on that same port.
See
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-045.asp
The dramatic increase in connection attempts to NETBIOS
Name Service are being made apparently in conjunction with a couple of
new worms making the rounds, and both scan UDP 137.
Bugbear
(note: Bugbear also sets up a listening web server on TCP 36794)
http://vil.nai.com/vil/content/v_99728.htm
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html
Srup
http://vil.nai.com/vil/content/v_99729.htm
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
HTH
T.O.G.
--
./
Not this guy or that guy, The Other Guy.
"I love Mankind, it's people I can't stand."
- Linus from Charlie Brown
"To know me is to love me!"
- (also) Linus from Charlie Brown
Kate Brown
Oct 2002, The Other Guy <nos...@this.addy> wrote
re alerts on port 137/1025 etc
I'm not getting anything (ADSL, W98, ZA not Pro). Am I doing something
wrong?
--
Kate B
PS 'elvira' is spamtrapped - please reply to 'umra' at cockaigne if
you want to reply personally
mhicaoidh
|
| I'm not getting anything (ADSL, W98, ZA not Pro). Am I doing something
| wrong?
Probably not. I haven't seen anything on my 137 port coming in either.
gey...@adelphia.com
I've had close to 600 port 137 alerts in the past 6 days !!!
m
I've had another 15 in the last hour
Mike
Bill Lavalette
You are being scanned by a internet worm called Open Share Worm ... What
this does is search the internet for open Microsoft windows shares. it then
infects the machine and uses it to start scanning for other vulnerable
machines... here is more information on it...
Here's more info about that open share worm:
SCRSVR.EXE, identified as ("older" identifications included) ...
CA Vet RESCUE : Win32.Opaserv.A (trojan)
Dialogue Science DrWebWCL : Win32.HLLW.Opasoft
ESET NOD32DOS : Win32/Opaserv.A
GeCAD RAVAV : Win32/Opaserv.A.worm
Ikarus PSCAN : Worm.Psp.Opasoft.A
Kaspersky Lab KAVDOS32 : Backdoor.Opasoft ->
Worm.Win32.Opasoft.a
McAfee SCANPM : BackDoor-ALB -> W32/Scrup.worm ->
W95/Scrup.worm
Norman NVC : W32/Opaserv.A
Panda Antivirus PAVCL : Bck/Opasoft -> W32/Opaserv
SOFTWIN BDDOSC : Trojan.Omageneer.A ->
Win32.Worm.Opaserv.A
Sophos SWEEP : W32/Opaserv-A
Symantec NAV CE VSCAND : W32.Opaserv.Worm
Trend Micro VSCAN32 : BKDR_OPASOFT.A -> WORM_OPASOFT.A
it might be wise to configure your firewalls to block NBT to your servers
and workstations some people leave this open as it makes remote access to
windows networks much easier. As you can see this would be bad.
http://www.cyberbase7.com shows this as a threat level 1 for those networks
with this open.. if your not sure if your vulnerable you can do a free host
scan from that web site... accessible by registered users only (registration
is free )
Hope this helps Answer your Question Mike...
Regards,
Bill
Mike
gey...@adelphia.com wrote:
_______________________________________________
Firewalls mailing list
Fire...@section5.cyberbase7.com
http://section5.cyberbase7.com/mailman/listinfo/firewalls
graham
when using a file sharing program like winmx or kazaa etc. I have updated
and scanned with the cleaner / norton av / ad-aware and everything seems
to be clean according to those progs. I am using win98se behind zone alarm
2.6.xxx set to high security , no sign of SCRSVR.exe on my hard drives
yet I am getting around 30-40 alerts an hour coming from various ips
from ports 1025-1029 .
my isp has a two hour cut off period ( have to reconnect every 2 hours )
so wondered if that would be a legitimate reason for port 137 being "
listened 2 to when i do a netstat -a ( port 139 is also listened to )
does this appear to you that Ive already been compromised ? and
if i use a file sharing program does this put my machine at a greater risk
, because i obviously have to allow the file sharing prog acces through zone
alarm.
Im not too worried as I have no credit card details etc and have
managed to tweak win98 se a bit ( even managed to get my details out of the
infamous user.dat ) but it is a pain in the backside still getting this
amount of alerts and not being sure if im " covered " or not
Thanx
g
"Bill Lavalette" <bi...@cyberbase7.com> wrote in message
news:mailman.10336893...@section5.cyberbase7.com...
Mark(un-MASK)Forsyth
>Come on someone clever out there, find out what is happening PLEASE!
>I've had another 15 in the last hour
You don't need to be clever. You just need to subscribe to the
correct mailing lists and keep an ear to the ground.
A google search for W32.Opaserv.Worm will give heaps of
links.
--
Ooroo
Mark F...
Another Optus Cable Traffic Monitor.
http://www.members.optushome.com.au/forsythm/traff/
mhicaoidh
|
| Come on someone clever out there, find out what is happening PLEASE!
| I've had another 15 in the last hour
Why be so concerned? The important part of the equation is that ZA is
blocking the traffic. As long as that remains true, the source of the
traffic is rather immaterial.
Jonathan Bliss
I've just been through this myself, I'm no expert but I have read a lot of
stuff in the past month or so.
Comments in line.
"graham" <dou...@verymuch.com> wrote in message
news:anio0b$5r1$1...@news5.svr.pol.co.uk...
> pardon my ignorance but does this mean that a home - user is vulnerable
> when using a file sharing program like winmx or kazaa etc.
Without a firewall and virus scanner, yes, but you have one
> I have updated
> and scanned with the cleaner / norton av / ad-aware and everything
seems
> to be clean according to those progs. I am using win98se behind zone alarm
> 2.6.xxx set to high security , no sign of SCRSVR.exe on my hard drives
> yet I am getting around 30-40 alerts an hour coming from various ips
> from ports 1025-1029 .
The alerts you are getting are usually infected machines looking either to
infect other machines, each alert you see is either a harmless scan
(knocking at a closed door) or a failed attempt. It is the one you don't
see that you need to worry about. Try http://pete.dns2go.com/security.htm
for one view and http://www.grc.com.htm for another, between them they cover
the bases.
> my isp has a two hour cut off period ( have to reconnect every 2 hours )
> so wondered if that would be a legitimate reason for port 137 being "
> listened 2 to when i do a netstat -a ( port 139 is also listened
to )
> does this appear to you that Ive already been compromised ?
I have seen loads of people ask this question and it is rarely answered.
You are listening on port 137 and 139 probably to both TCP and UDP traffic
because you have the Client for Microsoft Networks installed. You are only
listening on your internal ports i.e. from 127.0.0.1 to 0.0.0.0 (unless you
have printer and file sharing enabled - which you mustn't this is the
riskiest thing). This is behind your firewall anyway so Zone alarm will
stop the traffic. There is a process to remove it, but I suggest you find
it yourself as it is not necessary to remove it and I am not expert enough
to advise messing about at this level. I did using a page on iana.org
which I can't find now.
> and
> if i use a file sharing program does this put my machine at a greater
risk
> , because i obviously have to allow the file sharing prog acces through
zone
> alarm.
Yes, run your virus checker regularly.
> Im not too worried as I have no credit card details etc and have
> managed to tweak win98 se a bit ( even managed to get my details out of
the
> infamous user.dat ) but it is a pain in the backside still getting this
> amount of alerts and not being sure if im " covered " or not
Ignore the alerts. I used to look at them every day but you are just using
up valuable leisure time.
M
I have actually got the W32.Opaserv fixing kit from Symantic and used it on
my PC. It found no sign of the worm so I guess it isn't actually that.
Is there a better newsgroup then? Info much apprciated.
As someone says later. it isn't a problem if ZA finds it, but it's a pain
Mike
blooven
in alt.comp.virus and alt.comp.anti-virus - well worth looking at
Mark(un-MASK)Forsyth
>Thanks Mark
>
>I have actually got the W32.Opaserv fixing kit from Symantic and used it on
>my PC. It found no sign of the worm so I guess it isn't actually that.
>Is there a better newsgroup then? Info much apprciated.
A good place to keep a weather eye on is http://aris.securityfocus.com/
Have a look at news groups with "virus" or "security" in the title.
http://isc.incidents.org/ is another good place.
I work in the network management business and have a bit to do with some
of the larger ISP's in this country so a few 'phone calls to peers
can't go astray either. The more sources of info you have the more likely
you're going to get onto something early. Funnily enough though the
first inkling that there was something afoot was when there was a VERY
noticeable increase in UDP 137 attempts on my home system. If you have
a look at my graphs, specifically the last 5 weeks one, you'll see where
the bytes denied graph started to trend upward. It was that upward trend
that got me interested enough to start searching.
[deletia]