| Submitted By | Date |
|---|
| Comment |
|---|
| Michael | 2006-06-11 19:51:19 |
| You'll see a lot of these if you're running VMWare, usually from your subnet to the subnet vmware is using. |
| Marcus H. Sachs, SANS Institute | 2003-10-10 00:49:29 |
| SANS Top-20 Entry:
W5 Windows Remote Access Services
http://isc.sans.org/top20.html#w5
NETBIOS -- Unprotected Windows Networking Shares
Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local.
Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.
|
| Ken | 2002-12-25 22:35:10 |
| This traffic is only 'normal' when the source and destination ports match and also, generally, when the source IP is on your own subnet. If the source port is not 137, e.g. 1024+n, there is likely a Wintel box at the other end infected with a worm. The prime candidate appears to be 'SCRSVR.EXE', AKA 'Opaserv', see:
http://vil.nai.com/vil/content/v_99729.htm
There also still appears to be some risk when the source *is* 137, see:
http://www.sans.org/newlook/resources/IDFAQ/port_137.htm
For the morbidly curious... more Opaserv info:
http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
http://www3.ca.com/virusinfo/Virus.asp?ID=13234
http://www.europe.f-secure.com/v-descs/opasoft.shtml
http://www.kav.ch/avpve/worms/win32/opasoft.stm
http://www.norman.no/virus_info/w32_opaserv_a.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.A |
| Norm | 2002-10-23 08:26:55 |
| Stop the worms, new version of Opasoft (aka) Opaserv.
Brasil.pif
http://www.viruslist.com/eng/viruslist.html?id=52256
How to disable Netbios.
Windows XP
Open the Start menu
Select "Connect To" (or "Settings", then "Network connections" if you're in Classic mode)
Right-click on the network connection icon that connects you to the Internet
Right click on "Properties"
Open the "Networking" tab
Highlight "Internet Protocol (TCP/IP)"
Select "Properties".
Click the "Advanced" button
Open the "WINS" tab.
At the bottom of the window, select "Disable NetBIOS over TCP/IP"
Click OK
Click 'YES' or 'OK' to any messages that appear. Restart your computer.
Windows 2000
Open the Control Panel
Open the 'Network and Dial-up Connections' icon
Right-click 'Local Area Connection'
Select 'Properties'
A window should open titled "Local Area Connection Properties" The middle of this window should have a list of components with checkboxes to their left.
Select 'Internet Protocol (TCP/IP)'
Click the 'Properties' button
Click the 'Advanced' button
Select the tab marked WINS
At the bottom of the window, select "Disable NetBIOS over TCP/IP"
Click OK
Click 'YES' or 'OK' to any messages that appear. Restart your computer.
Windows 95, 98, ME
Open the Control Panel
Open the 'Network' icon
Scroll through the components listed in the Configuration tab until you find and select the entry marked "TCP/IP" for your network or dial-up adapter.
Click the Properties button
Open the NetBIOS tab
Uncheck Enable NetBIOS over TCP/IP
Open the Bindings tab
Uncheck "Client for Microsoft Networks" and "File and printer sharing for Microsoft Networks"
Click OK
Click 'YES' or 'OK' to any messages that appear. Restart your computer.
Good luck,
Norm
|
| Antonio Perez | 2002-10-10 04:01:35 |
| About: Port 137
Begining 28/09/2002 I am receiving in my dynamic IP about 10 to 20
daily intrussion alerts from my firewall about this port (FWIN).
Most of them (90%) came from other dynamic IP's given by my same
ISP "RETENET" to other of their customers (62.174.0.0 - 62.174.127.255).
I have told to <abuse@retevision.es> and <techretenet@retevision.es>
twice, but they never answered my messages.
Can I do anything mone to avoid this problem ?.
Can you give me any additional information of this subject out of:
http://isc.incidents.org/port_details.html?port=137 ?.
Thanks.
Antonio.
|
| Johannes Ullrich | 2002-10-09 18:23:35 |
| UDP packets on port 137 are used to perfom a Netbios name lookup.
Within Microsoft's Windows file sharing, these lookups are similar
to DNS in that they resolve an IP to a computer name and back.
While many of these lookups are harmless and may be performed
automatically if DNS or reverse DNS fails, they are also a first
step to enumerate and maybe exploit open file shares.
There are a number of viruses and worms that exploit open shares,
most notably Bugbear. Also, a number of IRC controlled 'bots'
spread using open file shares.
Important: ALWAYS use a password to protect shared resources. However,
Microsoft file sharing is intented for a closed LAN environment, and
if at all possible should not be used accross the public Internet.
|
