Re: Listener on ports 137, 138, 139

[Scott Fendley <scottf () uark edu>]

I will take a crack at this one.   These port numbers are used by 
Microsoft's net-bios protocol.  This is the protocol that you are using to 
map drives between workstations among other uses.

The address in question is in a reserved address space that the MS TCP/IP 
stack uses until a DHCP/bootp response has been received.

So all of this is normal operating environment on your windows 
PC.  Personally, if you do not find the need to map drives or browse the 
Microsoft Network, I would drop the Client for Microsoft Networks and the 
Netbeui/netbios capabilities on your computer.  If you must map drives, 
then I would set your firewall software to reject netbios traffic except 
from a particular IP or IP block.  This will minimize your exposure to the 
outside world.

Hopefully, I haven't lost you in my response too much.  If you have more 
questions about this above, I will try to assist you as much as I can.

Scott

At 07:27 PM 10/15/2002 +0200, Rune Berntzen wrote:
> Hi all,
>
> When checking port activity using TCPView I notice that I have a =
> listener on ports 137,138 and 139.
> The Local Address seems  to be from a Class B network, 169.254.0.0, =
> which I trace to something called=20
>
> BLACKHOLE-1.IANA.ORG
>
> using SmartWhois.
>
> The funny thing is that the LISTENING  entries are visible in TCPView =
> even before I connect to my ADSL provider.
>
> Anybody has an idea about what this can be.
>
> BTW, I am running Norton Internet Security 2001 with updatet virus =
> definitions.
>
> Thanks in advance,
> Rune

---
Scott Fendley                           scottf () uark edu
Systems/Security Analyst                (479) 575-2022
University of Arkansas                  (479) 575-4753 fax