Port 137

netbios-ns      137/tcp    NETBIOS Name Service   
netbios-ns      137/udp    NETBIOS Name Service

Ja - det sker forholdsvis ofte at folk forsøger, at komme den vej ind.

Kan være Bugbear. Den er ude efter port 137.

hvis man scanner en computer på port 137/139... så kan man få informationer omkring styresystem og brugere samt passwords på den pågældene maskine.. og kan bruge disse informationer til at "hacke"

Anuseren har til dels ret. Hvis det kun er port 137 behøver det ikke at betyde så meget. Her er et par ting omkring det :)

"In the last days, Internet Storm Center (ISC), the center of alert of the Sans Institute, that permanently monitorea all activity through Internet, has noticed an unusual increase from escaneos in port 137 (UDP).

Udp (Universal Data Packet), is a transport protocol of datagrams, that is of the small packages that form the information that is transferred of and towards our computer through Internet. That these packages appear by port 137, in principle is not nothing unusual.

Windows uses east port for its service "To share printers and archives for Microsoft networks" through NetBEUI (an own implementation of NETCBios), when translating a direction IP in a "name of Windows".

Each computer connected to a network or Internet, is identified by a direction IP (Internet Protocol). This direction IP is a number, four separated digits by a point, like for example: 192.168.52.1.

Single to make us the task easier of remembering the direction of a machine, this one also can have a name (names of dominion and names of host). In order to associate a direction IP of a name, so that when keying in for example ' vsantivirus.com' our computer is connected with the one of the servant of our site (that has its own direction IP), a called service DNS exists (Domain name server). This service, uses port 53 generally to communicate.

These names, are used generally to identify other computers that share archives through a network. Peculiarly, Windows also tries to even obtain a "name of Windows" of any other computer that tries to connect itself with him, from Internet. The result, is that Windows has the habit "to drill" port 137, trying to solve a direction IP or a name of dominion, when the request to servant DNS fails or surpasses a certain time.

Nevertheless, in addition to this activity that can be considered normal, an increase from escaneos in port 137 also can indicate a first step to accede to the shared resources of our computer, on the part of an attacker. This is almost always thus, if those escaneos are followed by others port 139, used to accede to those resources.

Worms very well-known and BOTS also exist that try to accede to a computer that maintains this front door open. A BOT is a copy of a user in a channel of IRC, generated almost always maliciously by a program, and prepared to respond the commandos who an attacker sends to them in remote form.

Even, taking advantage of machines users who have connections of broadband during the 24 hours, many Warez pages exist (those that distribute illegal software), that stores programs in machines of users that ignore it, eluding that way the laws of their countries, and involving innocents. All it evidently increases the activity in ports 137 and 139.

Software like the BOTS, escudriñan the networks and subnetworks in sequential form, and when these networks are extensive, the use of port 137 can reach well-known high proportions in the statistics of monitoreo of sites like the ISC.

At the moment, this increase of this activity seems to aim at this explanation, according to affirms the own ISC in its last report. And it adds in addition, that in spite of it, no of the decoys that constantly are monitoreados, has been harmed with some other attempt of access that seems to be related.

Of any way, the Internet Storm Center remains alert by any other activity that could mean for example, the appearance of some new worm.

The ISC requests in addition, that any person who could have indications of some other activity outside the normal thing related to this port, sends a report to them to the direction isc@incidents.org (in English).

At domestic level, the installation of fire-resistant ones as ZoneAlarm is sufficient to block all malicious attempt to the mentioned ports."


en teknisk forklaring:
http://www.sans.org/newlook/resources/IDFAQ/port_137.htm