[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Port 137 Scans
- Subject: Re: [cobalt-users] Port 137 Scans
- From: Wayne Sagar <wsagar@xxxxxxxx>
- Date: Tue Apr 24 12:53:19 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 04:41 PM 4/24/01 -0700, you wrote:
>Basically it's a windoze looking around to see network neighbours to it's
>"network neighbourhood"...
http://www.sans.org/newlook/resources/IDFAQ/port_137.htm It seems there is
a windoze virus that infects those machines and then sets about looking for
other machines to infect... So then, this does not concern us on our linux
boxes? Is it ok to tell portsentry to ignore port 137? I get an awful lot
of scans on that port daily... I'm not sure I've ever gotten a difinitive
answer as to whether or not there is a vulnerablilty there and/or if
ignoring that port is safe or advised?
>how he got to your IPs? no idea, perhaps misconfigured...
>anyhow, it's the netbios name service, and you shouldn't be worried.
If above link is on target, then likely, he and many of the other
"innocent" macines hitting me on port 137 are infected with the network.vbs
worm..
>of course, you could have known it yourself:
>[shimi@shimi shimi]$ cat /etc/services | grep 137
>netbios-ns 137/tcp # NETBIOS Name Service
>netbios-ns 137/udp
I'm not quite sure how to interpret the above... Are we running NETBIOS
services on the RaQ's? Do we need to worry about the network.vbs worm or
can we "unguard" port 137 safely and just let in the machines who are
attempting to connect via that port?
TIA
Wayne