[ILUG] Frequent connections on port 137

From: Thomas Ribbrock (emgaron at domain gmx.net)
Date: Sat 18 Sep 1999 - 10:55:42 IST

• Next message: Liam Bedford: "Re: [ILUG] Frequent connections on port 137"
• Previous message: John Hegarty: "Re: [ILUG] ISDN / cable modems / pigeons..."
• Next in thread: Liam Bedford: "Re: [ILUG] Frequent connections on port 137"
• Reply: Liam Bedford: "Re: [ILUG] Frequent connections on port 137"
• Reply: Kenn Humborg: "Re: [ILUG] Frequent connections on port 137"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Hi folks,

I'm in need of some insight here...

I've sentry installed on my PC and over the past weeks I frequently get
attack alerts with regard to connections on port 137 from different servers.
A typical log would look like this:

Sep 18 10:30:40 angua abacus_sentry[418]: attackalert: Connect from host: bf-web
.bord-failte.iol.ie/194.125.40.195 to TCP port: 137
Sep 18 10:30:40 angua abacus_sentry[418]: attackalert: Host 194.125.40.195 has b
een blocked via wrappers.
Sep 18 10:30:40 angua abacus_sentry[418]: attackalert: Host 194.125.40.195 has b
een blocked via dropped route.
Sep 18 10:30:42 angua abacus_sentry[418]: attackalert: Connect from host: bf-web
.bord-failte.iol.ie/194.125.40.195 to TCP port: 137
Sep 18 10:30:42 angua abacus_sentry[418]: attackalert: Host: 194.125.40.195 is a
lready blocked. Ignoring

In this particular case, it was the web host of Board Failte I tried to
connect to just a moment earlier, but I got this from many different hosts.
I tried stopping sentry and runninc "nc -l -p 137" (after correcting the
route table to remove the dropped route) but I never got anything back.
I also have tcp-wrappers running (i.e. ALL:ALL in /etc/hosts.deny) - would
that prevent nc from running properly?

According to /etc/services, port 137 is "netbios-ns" - which doesn't tell me
much. I've also found out that port 137 seems to be one of the ports used in
a WinNuke attack, so my first suspicion were script-kiddies - but it happens
far to often (especially when considering that I don't have a fixed IP
address (PPP/dial-in)) to be that, I think.

So, if anybody out there has an idea how to track that down, I'd appreciate
some insight.

Thanks in advance,

Thomas

-- 
-----------------------------------------------------------------------------
      Thomas Ribbrock    http://www.bigfoot.com/~kaytan    ICQ#: 15839919
   "You have to live on the edge of reality - to make your dreams come true!"

• Next message: Liam Bedford: "Re: [ILUG] Frequent connections on port 137"
• Previous message: John Hegarty: "Re: [ILUG] ISDN / cable modems / pigeons..."
• Next in thread: Liam Bedford: "Re: [ILUG] Frequent connections on port 137"
• Reply: Liam Bedford: "Re: [ILUG] Frequent connections on port 137"
• Reply: Kenn Humborg: "Re: [ILUG] Frequent connections on port 137"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:34 GMT