In most cases, queries against 139 are attacks. 139 is the netbios
session port. You more typically see banging on 137 which is the
netbios name query port. Win95 boxes and some NT boxes plugged into the
net will always try to do netbios name queries for stuff. It's quite
annoying, but easier to filter than jump up and down about. 139 on the
other hand usually elicits a stern message to the sys admins from me.
In one case recently, an ISP had a customer hacking through their system
and portscanning all over the place on 139 looking for loosely secured
NT boxes. Hit us (and others), we screamed (including time stamped log
records), he was caught.
The ICQ documentation says it uses UDP 4000 and 3 TCP ports (above
1023). Doesn't say anything about establishing netbios sessions, so...
looks fishy.
Disclaimer: I rarely am completely "with it" at 4:30 in the am.
regards
Andy
> -----Original Message-----
> From: Andreas Engel [SMTP:Andreas .
Engel @
cylink .
net]
> Sent: Thursday, June 19, 1997 10:09 AM
> To: Firewalls @
GreatCircle .
COM
> Subject: ICQ and port 139
>
> hello world,
>
> i found out that this program ICQ from MIRABILIS send some strange
> querys
> out.
> it's a request from port 40 to port 139. port 139 is, so far i know,
> used
> for netbios
> over tcp ... what the hell they are looking for on this port.is this
> something against the
> security?-) or do they have another reason to do this so ?-)..i can
> not
> exlain this to me
> and i would be happy if somebody could help me in understanding this.
> i
> hope you
> could read my english. ;-)
>
> thanx Andreas Engel :)
|
|
