Should I disable port 137?

Kerio 2.1.5 shows a program called SYSTEM trying to get out of my
XP Pro system and access port 137 on various IP addresses.

It seems this is to do with NetBIOS. Some of the IP addresses are
for Google. Another one was for something like "Verio".

Should I permit these connections? I have a standalone XP PC
attached by cable with two accounts. Do I need NetBIOS?

What changes should I mkae to my config?

zoop

137 is used for netbios name resolution for Windows networking / file and
print sharing. This should definitely not be permitted out to the Internet.
If you only have one computer on your network that isn't using windows
networking to get files or printing services from other Windows computers on
your network, it should be safe to block it at the firewall and/or disable
it in Control Panel, Network or Network Neighborhood Properties. There are
some known attacks that use port 137, as you can see at www.incidents.org or
www.mynetwatchman.com

I believe some personal firewalls [and/or other applications] attempt to use
137 to try to get the computer name of the remote computer during an attack.
Those firewalls appear to allow the response packet from the presumably
hostile computer back in through the firewall by default, neither of which
would seem a good thing to do.


"zoop" <> wrote in message
news:94EB68FA1810D31E75@194.168.222.122...
> Kerio 2.1.5 shows a program called SYSTEM trying to get out of my
> XP Pro system and access port 137 on various IP addresses.
>
> It seems this is to do with NetBIOS. Some of the IP addresses are
> for Google. Another one was for something like "Verio".
>
> Should I permit these connections? I have a standalone XP PC
> attached by cable with two accounts. Do I need NetBIOS?
>
> What changes should I mkae to my config?

Karl Levinson [x y] mvp

On Sun, 16 May 2004 10:19:10 +0100, zoop <> wrote:

>Kerio 2.1.5 shows a program called SYSTEM trying to get out of my
>XP Pro system and access port 137 on various IP addresses.
>
>It seems this is to do with NetBIOS. Some of the IP addresses are
>for Google. Another one was for something like "Verio".
>
>Should I permit these connections? I have a standalone XP PC
>attached by cable with two accounts. Do I need NetBIOS?
>
>What changes should I mkae to my config?

First, if you don't know whay to permit a connection, then don't
permit it. Second, Ports 137-139 are for Microsoft networking, so if
you don't network to another system for Network Neighborhood and the
like, you don't need them open. Third, and most disturbing, is you
mention attempts that are *outgoing*. While you should be blocking
these, you should find out the cause. You may already have a trojan
on your system attempting outbound access.

Jeff

Jeff Cochran

On Sun, 16 May 2004 13:42:29 GMT, (Jeff
Cochran) wrote:

>On Sun, 16 May 2004 10:19:10 +0100, zoop <> wrote:
>
>>Kerio 2.1.5 shows a program called SYSTEM trying to get out of my
>>XP Pro system and access port 137 on various IP addresses.
>>
>>It seems this is to do with NetBIOS. Some of the IP addresses are
>>for Google. Another one was for something like "Verio".
>>
>>Should I permit these connections? I have a standalone XP PC
>>attached by cable with two accounts. Do I need NetBIOS?
>>
>>What changes should I mkae to my config?
>
>First, if you don't know whay to permit a connection, then don't
>permit it. Second, Ports 137-139 are for Microsoft networking, so if
>you don't network to another system for Network Neighborhood and the
>like, you don't need them open. Third, and most disturbing, is you
>mention attempts that are *outgoing*. While you should be blocking
>these, you should find out the cause. You may already have a trojan
>on your system attempting outbound access.
>
>Jeff


I would also suggest disabling the Microsoft networking components.
Turn off the browser, workstation, server, remote registry access,
etc. Make sure you only have tcpip bound to your internet connection.

You've got a software based firewall, I assume you're also running
appropriate antivirus? You've probably got a virus.

I also recommend spybot and spywareblaster to anyone who will listen
as they are great tools for removing spyware and blocking stuff like
gator from getting in through IE.

-Chris

chris@nospam.com

"Karl Levinson [x y] mvp" <> wrote:
>
> 137 is used for netbios name resolution for Windows networking
> / file and print sharing. This should definitely not be
> permitted out to the Internet. If you only have one computer
> on your network that isn't using windows networking to get
> files or printing services from other Windows computers on
> your network, it should be safe to block it at the firewall
> and/or disable it in Control Panel, Network or Network
> Neighborhood Properties. There are some known attacks that
> use port 137, as you can see at www.incidents.org or
> www.mynetwatchman.com
>
> I believe some personal firewalls [and/or other applications]
> attempt to use 137 to try to get the computer name of the
> remote computer during an attack. Those firewalls appear to
> allow the response packet from the presumably hostile computer
> back in through the firewall by default, neither of which
> would seem a good thing to do.


The only item I have got is TCP/IP in the connection's Properties.
I can see this by going to :

Control Panel > Network > my connection's Properties > General

Is it sufficient to disable Netbios by going to that TCP/IP's
Properties > General > Advanced > WINS > disable Netbios.

Or do I need to make other changes too?

Zoop