Port Details - Port 137

Aug 03 1,806 Aug 04 1,580 Aug 05 1,660 Aug 06 1,691 Aug 07 1,108 Aug 08 1,024 Aug 09 1,505 Aug 10 1,666 Aug 11 1,506 Aug 12 1,598 Aug 13 1,421 Aug 14 1,083 Aug 15 1,027 Aug 16 1,593 Aug 17 1,549 Aug 18 1,680 Aug 19 1,605 Aug 20 1,418 Aug 21 1,057 Aug 22 986 Aug 23 1,662 Aug 24 1,612 Aug 25 1,607 Aug 26 1,535 Aug 27 1,524 Aug 28 1,067 Aug 29 983 Aug 30 1,394 Aug 31 1,671 Sep 01 1,741 Sep 02 814 Aug 03 19,915 Aug 04 17,867 Aug 05 15,684 Aug 06 15,277 Aug 07 18,854 Aug 08 13,178 Aug 09 17,605 Aug 10 16,401 Aug 11 14,600 Aug 12 14,913 Aug 13 13,833 Aug 14 12,978 Aug 15 10,690 Aug 16 16,891 Aug 17 16,529 Aug 18 19,404 Aug 19 16,622 Aug 20 16,448 Aug 21 17,594 Aug 22 14,297 Aug 23 17,551 Aug 24 17,559 Aug 25 16,074 Aug 26 17,172 Aug 27 18,622 Aug 28 20,054 Aug 29 66,637 Aug 30 15,638 Aug 31 17,188 Sep 01 15,515 Sep 02 9,755
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpnetbios-nsNETBIOS Name Service
udpnetbios-nsNETBIOS Name Service
tcpChode[trojan] Chode
tcpQaz[trojan] Qaz
udpMsinit[trojan] Msinit
[get complete service list]

User Comment

Submitted ByDate
Comment
Antonio Perez2009-10-04 18:45:22
About: Port 137 Begining 28/09/2002 I am receiving in my dynamic IP about 10 to 20 daily intrussion alerts from my firewall about this port (FWIN). Most of them (90%) came from other dynamic IP's given by my same ISP "RETENET" to other of their customers (62.174.0.0 - 62.174.127.255). I have told to <abuse@retevision.es> and <techretenet@retevision.es> twice, but they never answered my messages. Can I do anything mone to avoid this problem ?. Can you give me any additional information of this subject out of: http://isc.incidents.org/port_details.html?port=137 ?. Thanks. Antonio.
Norm2009-10-04 18:45:22
Stop the worms, new version of Opasoft (aka) Opaserv. Brasil.pif http://www.viruslist.com/eng/viruslist.html?id=52256 How to disable Netbios. Windows XP Open the Start menu Select "Connect To" (or "Settings", then "Network connections" if you're in Classic mode) Right-click on the network connection icon that connects you to the Internet Right click on "Properties" Open the "Networking" tab Highlight "Internet Protocol (TCP/IP)" Select "Properties". Click the "Advanced" button Open the "WINS" tab. At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 2000 Open the Control Panel Open the 'Network and Dial-up Connections' icon Right-click 'Local Area Connection' Select 'Properties' A window should open titled "Local Area Connection Properties" The middle of this window should have a list of components with checkboxes to their left. Select 'Internet Protocol (TCP/IP)' Click the 'Properties' button Click the 'Advanced' button Select the tab marked WINS At the bottom of the window, select "Disable NetBIOS over TCP/IP" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Windows 95, 98, ME Open the Control Panel Open the 'Network' icon Scroll through the components listed in the Configuration tab until you find and select the entry marked "TCP/IP" for your network or dial-up adapter. Click the Properties button Open the NetBIOS tab Uncheck Enable NetBIOS over TCP/IP Open the Bindings tab Uncheck "Client for Microsoft Networks" and "File and printer sharing for Microsoft Networks" Click OK Click 'YES' or 'OK' to any messages that appear. Restart your computer. Good luck, Norm
Michael2006-06-11 19:51:19
You'll see a lot of these if you're running VMWare, usually from your subnet to the subnet vmware is using.
Marcus H. Sachs, SANS Institute2003-10-10 00:49:29
SANS Top-20 Entry: W5 Windows Remote Access Services http://isc.sans.org/top20.html#w5 NETBIOS -- Unprotected Windows Networking Shares Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local. Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.
Ken2002-12-25 22:35:10
This traffic is only 'normal' when the source and destination ports match and also, generally, when the source IP is on your own subnet. If the source port is not 137, e.g. 1024+n, there is likely a Wintel box at the other end infected with a worm. The prime candidate appears to be 'SCRSVR.EXE', AKA 'Opaserv', see: http://vil.nai.com/vil/content/v_99729.htm There also still appears to be some risk when the source *is* 137, see: http://www.sans.org/newlook/resources/IDFAQ/port_137.htm For the morbidly curious... more Opaserv info: http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html http://www.sophos.com/virusinfo/analyses/w32opaserva.html http://www3.ca.com/virusinfo/Virus.asp?ID=13234 http://www.europe.f-secure.com/v-descs/opasoft.shtml http://www.kav.ch/avpve/worms/win32/opasoft.stm http://www.norman.no/virus_info/w32_opaserv_a.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.A
Johannes Ullrich2002-10-09 18:23:35
UDP packets on port 137 are used to perfom a Netbios name lookup. Within Microsoft's Windows file sharing, these lookups are similar to DNS in that they resolve an IP to a computer name and back. While many of these lookups are harmless and may be performed automatically if DNS or reverse DNS fails, they are also a first step to enumerate and maybe exploit open file shares. There are a number of viruses and worms that exploit open shares, most notably Bugbear. Also, a number of IRC controlled 'bots' spread using open file shares. Important: ALWAYS use a password to protect shared resources. However, Microsoft file sharing is intented for a closed LAN environment, and if at all possible should not be used accross the public Internet.
Add a comment

CVE Links

CVE #Description
CVE-2004-444 "Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004