Should I disable port 137?

[zoop]

Kerio 2.1.5 shows a program called SYSTEM trying to get out of my
XP Pro system and access port 137 on various IP addresses.

It seems this is to do with NetBIOS. Some of the IP addresses are
for Google. Another one was for something like "Verio".

Should I permit these connections? I have a standalone XP PC
attached by cable with two accounts. Do I need NetBIOS?

What changes should I mkae to my config?

 

[Sadie]

Hello,

Follow these instructions at your discretion.Only you can
decide what protocols you are happy with and suit your
set up.Personally,I disable Netbios over TCP/IP.

http://isc.incidents.org/show_comment.php?
id=32&isc=4429ee6af848e511de7e8da6e60d828e

There are plenty of other vulnerable ports and
protocols.This just means that they are the most
widely,commonly exploited.It does not mean that other
ports cannot be/are not being exploited.

Do netstat -an:

start>run>type cmd

carefully type netstat -an into the command line.

This will give you an insight into how many services are
running that have set ports "listening".Refer to SANS or
Google for any ports/terms you are not sure of.

http://www.blackviper.com

Contains a lot of information regarding service
configurations.It is up to you to experiment and find out
what works for you.

"SYSTEM" is probably Kerio's way of describing the
svchost-what the Sygate firewall would term "Generic host
process",it does not sound like any thing you need worry
about.The moment you connect to the internet,BOOTS PC
will make an outgoing connection to your
DNS.It's "finding a space on the net" (In simple terms).
As you navigate around the Internet,connections are
made.The ones you need pay heed to are unsolicited
incoming connection attempts,and attempts by anything
within your computer that is attempting outbound
connection attempts-without your instigation.

You have a firewall,learn how to configure it.It takes a
while to refine settings to your liking,but
most "dangerous" ports are covered by the defaults.

Sadie

 

[Karl Levinson [x y] mvp]

137 is used for netbios name resolution for Windows networking / file and
print sharing. This should definitely not be permitted out to the Internet.
If you only have one computer on your network that isn't using windows
networking to get files or printing services from other Windows computers on
your network, it should be safe to block it at the firewall and/or disable
it in Control Panel, Network or Network Neighborhood Properties. There are
some known attacks that use port 137, as you can see at www.incidents.org or
www.mynetwatchman.com

I believe some personal firewalls [and/or other applications] attempt to use
137 to try to get the computer name of the remote computer during an attack.
Those firewalls appear to allow the response packet from the presumably
hostile computer back in through the firewall by default, neither of which
would seem a good thing to do.

 

[Sadie]

oops! sorry-press "enter" after typing the netstat -an
command.You probably knew that,but..just incase.

Sadie

 

[Jeff Cochran]

Kerio 2.1.5 shows a program called SYSTEM trying to get out of my
XP Pro system and access port 137 on various IP addresses.

It seems this is to do with NetBIOS. Some of the IP addresses are
for Google. Another one was for something like "Verio".

Should I permit these connections? I have a standalone XP PC
attached by cable with two accounts. Do I need NetBIOS?

What changes should I mkae to my config?

First, if you don't know whay to permit a connection, then don't
permit it. Second, Ports 137-139 are for Microsoft networking, so if
you don't network to another system for Network Neighborhood and the
like, you don't need them open. Third, and most disturbing, is you
mention attempts that are *outgoing*. While you should be blocking
these, you should find out the cause. You may already have a trojan
on your system attempting outbound access.

Jeff

 

[Sadie]

Jeff,

Zoop should run a full virus scan in safe mode-that's a
given.However,the mention of Verio.inc made it occur to
me that it could be as simple as a data mining
cookie/spyware.
Furthermore,I recall that when I used to run Sygate's
free firewall,my computer would often connect to
verio.inc for periods of time.
Since a back trace and a heck of a lot of Googling led
me to conclude that Verio.inc are somehow affiliated with
Sygate,I thought this was the price I'd paid for
installing free software.Verio.inc are intrusive data
miners.Perhaps Verio.inc sponsors Kerio?

This might be relevant,and worth mentioning.I'd just hate
to cause undue distress by describing scenarios too
complicated for beginners to comprehend.The thought of
someone struggling to detect a trojan process that may or
may not exist upsets me.Learning all this stuff is
confusing and exhausting.

Zoop:

Run a full virus scan,in safe mode,if you are able.

This is a free anti-trojan programme:

http://www.emsisoft.com/en/software/free/

It is on-demand,so it should not interfere with the real-
time AV you are (Hopefully!)running.

Download it,install it,update it and run a full scan of
your O.S.It will also scan in safe mode.

IF you discover a Trojan/virus,we'll cross that bridge
when we come to it.

Sadie

-----Original Message-----

 

[chris]

First, if you don't know whay to permit a connection, then don't
permit it. Second, Ports 137-139 are for Microsoft networking, so if
you don't network to another system for Network Neighborhood and the
like, you don't need them open. Third, and most disturbing, is you
mention attempts that are *outgoing*. While you should be blocking
these, you should find out the cause. You may already have a trojan
on your system attempting outbound access.

Jeff

I would also suggest disabling the Microsoft networking components.
Turn off the browser, workstation, server, remote registry access,
etc. Make sure you only have tcpip bound to your internet connection.

You've got a software based firewall, I assume you're also running
appropriate antivirus? You've probably got a virus.

I also recommend spybot and spywareblaster to anyone who will listen
as they are great tools for removing spyware and blocking stuff like
gator from getting in through IE.

-Chris

 

[Zoop]

137 is used for netbios name resolution for Windows networking
/ file and print sharing. This should definitely not be
permitted out to the Internet. If you only have one computer
on your network that isn't using windows networking to get
files or printing services from other Windows computers on
your network, it should be safe to block it at the firewall
and/or disable it in Control Panel, Network or Network
Neighborhood Properties. There are some known attacks that
use port 137, as you can see at www.incidents.org or
www.mynetwatchman.com

I believe some personal firewalls [and/or other applications]
attempt to use 137 to try to get the computer name of the
remote computer during an attack. Those firewalls appear to
allow the response packet from the presumably hostile computer
back in through the firewall by default, neither of which
would seem a good thing to do.

The only item I have got is TCP/IP in the connection's Properties.
I can see this by going to :

Control Panel > Network > my connection's Properties > General

Is it sufficient to disable Netbios by going to that TCP/IP's
Properties > General > Advanced > WINS > disable Netbios.

Or do I need to make other changes too?

 

[mae]

Open Kerio -click on "help"
Go to security settings-Microsoft Networking
You will find this with pictures:

"Kerio Personal Firewall allows separate rules for a Microsoft Network environment. These settings are available in the Advanced section in the Microsoft Networking tab."
"If you have a stand-alone computer that is not connected to a local network (e.g. a notebook connected to the Internet via a modem), only enable the option "For Microsoft Networking Use These Rules Instead Of Filter Rules". Leave all other options off. This will disable all communication for Microsoft Networks as it is not relevent to this scenario."

So, click on Administration, click Advanced, click on Microsoft Networking tab, and verify that is the only option checked. This will block all traffic over your netbios ports entirely, in both directions.
The others would only be checked if you have a local network. Read all the help files.

mae
---------------------------------------------------------

| >
| > 137 is used for netbios name resolution for Windows networking
| > / file and print sharing. This should definitely not be
| > permitted out to the Internet. If you only have one computer
| > on your network that isn't using windows networking to get
| > files or printing services from other Windows computers on
| > your network, it should be safe to block it at the firewall
| > and/or disable it in Control Panel, Network or Network
| > Neighborhood Properties. There are some known attacks that
| > use port 137, as you can see at www.incidents.org or
| > www.mynetwatchman.com
| >
| > I believe some personal firewalls [and/or other applications]
| > attempt to use 137 to try to get the computer name of the
| > remote computer during an attack. Those firewalls appear to
| > allow the response packet from the presumably hostile computer
| > back in through the firewall by default, neither of which
| > would seem a good thing to do.
|
|
| The only item I have got is TCP/IP in the connection's Properties.
| I can see this by going to :
|
| Control Panel > Network > my connection's Properties > General
|
| Is it sufficient to disable Netbios by going to that TCP/IP's
| Properties > General > Advanced > WINS > disable Netbios.
|
| Or do I need to make other changes too?