No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • Advisory!!!

    Port 137 Scans.
    published: 2002-10-01

    --- update ---
    We now believe that these port 137 scans are due to the 'Bugbear'
    mass mailing virus and the 'Scrup' worm.



    UDP packets for port 137 are nothing unusual. Windows file sharing uses
    port 137 for its own NETBIOS name service, which is used similar to DNS
    to translate IP addresses into netbios hostnames.

    Frequently, Windows machines will use this function during regular Internet
    activity, if asked to reverse resolve an IP address and not being able to
    do so via DNS. In this case, the machine may connect to the IP it is asked
    to reverse resolve and request a netbios host name.

    However, aside from this very common and harmless activity, these lookups
    are also a first step for accessing shared resources on the target machine.
    As such, port 137 packets can be seen as initial reconnaissance and if
    successful, a connection to the share resources using port 139 is sure
    to follow.

    There are a number of well known worm and IRC controlled 'bots' that
    attempt to use unprotected shared drives to deposit malware or just to
    use them as repositories for various 'warez'. Usually, these bots scan
    given subnets sequentially, and depending on the size of the bot-network
    and the size of the target network, these scans can be rather noisy.

    Scans reported over the last few days appear to be more widespread then
    these more commonly seen 'bot net scans'.

    While we do have honeypots that appear to have been scanned, none of them
    has been compromised at this point. However, given the ubiquity of port
    137 scans under normal conditions, it is not certain if everyone is
    reporting hits from the same 'bug'.

    If you have more information, please share them with [email protected] .

    Johannes Ullrich. CTO Internet Storm Center. [email protected]