Re: UDP port 137

["John Kozubik" <john_kozubik_dc () hotmail com>]

First off, whenever scans are taking place, you should be concerned - 
period.  This is because it is impossible for you to determine whether 
the scans are acceidental, the work of children, or precursors to more 
sophisticated attacks.

That said, UDP port 137 will only be a serious issue for you if you run 
Windows machines and do not block traffic on UDP/TCP 135 - 139.  This is 
an issue because Microsoft encapsulates netbios information within 
TCP/Ip using these ports.  It is trivial for an attacker to issue the 
following command:

nbtstat -A (your Ip address)

from their windows machine and collect information about your windows 
machine (if you are not blocking this traffic at your borders).  
Further, the command:

net view \\IP

will show shares available on your windows machine.  Finally, the use of 
the 'net use' commands can map drives across the internet to your 
computer (if you do not password protect your shares) or brute force 
your password to these shares (if you do).

I would not be too worried though.  If you are clueful enough to have a 
utility that has alerted you to this, but do not know the significance 
of UDP 137, it is probably because you are a non-windows shop.  If, for 
some reason you do support windows, just make sure that you block 
traffic (both UDP and TCP) to the ports I mentioned above.

And keep your eyes peeled - it's probably just kids looking for a place 
to install back orifice, but then again, it could be a well-funded 
hostile government attempting to pillage your corporate data :)

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com