Port 137/138 accesses within home network
  Home FAQ Contact Sign in
microsoft.public.security only
 
Advanced search
POPULAR GROUPS

more...

microsoft.public.security Profile…
 Up
Port 137/138 accesses within home network         


Author: AndyHancock
Date: Apr 20, 2008 11:53

A few newly installed applications required a modification of firewall
rules, which prompted me to clean up the convolution of rules that
I've amassed over the years. Afterward, I started to get regular
outbound UDP connections from "SYSTEM" to 192.168.1.255, ports
137-138. Much web searching ensued. It could be bad (http://
www.linklogger.com/UDP137.htm) or just IP/name resolutions (http://
www.iss.net/security_center/advice/Exploits/Ports/137/default.htm and
others).

This is a very simple home network, consisting of a DSL modem/router,
and zero to two laptops connected via LAN cable to WiFi (either
Windows 2000 or WindowsXP). One page visited was
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017. It
looks like it was meant for non-home IT folk, possibly with a degree
in the area.
Show full article (1.32Kb)
5 Comments
Re: Port 137/138 accesses within home network         


Author: Mr. Arnold
Date: Apr 20, 2008 12:56

"AndyHancock" gmail.com> wrote in message
news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
> Aside for the advisability of the access rule, why would such accesses
> be attempted to 192.168.1.255? There is nothing there.

The operative word here is *wireless*. I'll assume that the other machines
are using an IP in the 192.168.1.xxx range. I'll assume you're using the
DHCP server on the router to issue DHCP IP(s) to the computers on the
network, which are being kept in the DHCP table on the router so that you
can see them.

The wireless side of your network could be hacked, the hacker could be using
a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that
far so none of your machines are going to use that IP out that far. Static
IP(s) are are not kept in the router's DHCP table, so you can't see them in
use.

So, there can be a machine that is using that IP wirelessly by a wireless
hacker.

It's a possibility.
no comments
Re: Port 137/138 accesses within home network         


Author: Sebastian G.
Date: Apr 20, 2008 12:58

AndyHancock wrote:
> Laptops on this "network" are likely to be installed with standard
> security applications (firewall, AV, Spybot Search&Destroy).

So they're likely to be compromised.
no comments
Re: Port 137/138 accesses within home network         


Author: Steve Riley [MSFT]
Date: Apr 20, 2008 19:34

192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24
(192.168.1.xxx) -- in this case, your home network. It's highly unlikely
that there's an attacker on this address, because TCP/IP doesn't allow a
machine to be configured with an IP address the same as a broadcast address.
When a computer wants to send broadcast traffic to all other computers in
the subnet, it creates traffic with a destination address of that subnet's
broadcast address.

So in this case, your computer is simply doing its normal thing in Windows
networking, using broadcasts to announce itself and discover other computers
nearby. It's nothing to worry about. Your DSL router won't be allowing these
to go beyond your home network.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"Mr. Arnold" Arnold.com> wrote in message
news:lb6dncc7YfGWPZbVnZ2dnUVZ_t-nnZ2d@earthlink.com...
>
> "AndyHancock" gmail.com> wrote in message
> news:cf517268-ebab-4179-bae7...
Show full article (2.00Kb)
no comments
Re: Port 137/138 accesses within home network         


Author: AndyHancock
Date: Apr 20, 2008 20:25

On Apr 20, 3:56 pm, "Mr. Arnold" Arnold.com> wrote:
> "AndyHancock" gmail.com> wrote in message
>
> news:cf517268-ebab-4179-bae7-163fa6fab444@c65g2000hsa.googlegroups.com...
>
>> Aside for the advisability of the access rule, why would such accesses
>> be attempted to 192.168.1.255? There is nothing there.
>
> The operative word here is *wireless*. I'll assume that the other machines
> are using an IP in the 192.168.1.xxx range. I'll assume you're using the
> DHCP server on the router to issue DHCP IP(s) to the computers on the
> network, which are being kept in the DHCP table on the router so that you
> can see them.
>
> The wireless side of your network could be hacked, the hacker could be using
> a static IP of 192.168.1.255, your DHCP server is not issuing IP(s) out that
> far so none of your machines are going to use that IP out that far. Static
> IP(s) are are not kept in the router's DHCP table, so you can't see them in
> use.
> ...
Show full article (1.38Kb)
no comments
Re: Port 137/138 accesses within home network         


Author: AndyHancock
Date: Apr 20, 2008 20:47

On Apr 20, 10:34 pm, "Steve Riley [MSFT]" microsoft.com>
wrote:
> 192.168.1.255 is the broadcast address for the subnet 192.168.1.0/24
> (192.168.1.xxx) -- in this case, your home network. It's highly unlikely
> that there's an attacker on this address, because TCP/IP doesn't allow a
> machine to be configured with an IP address the same as a broadcast address.
> When a computer wants to send broadcast traffic to all other computers in
> the subnet, it creates traffic with a destination address of that subnet's
> broadcast address.
>
> So in this case, your computer is simply doing its normal thing in Windows
> networking, using broadcasts to announce itself and discover other computers
> nearby. It's nothing to worry about. Your DSL router won't be allowing these
> to go beyond...
Show full article (2.17Kb)
no comments

RELATED THREADS
SubjectArticles qty Group
Re: Access XP can create Access 2000 MDE ?microsoft.public.access ·
How do I 'back migrate' an Access database from Access 2007 to 200microsoft.public.access ·