LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-13-2004, 04:44 PM   #1
watchitman
LQ Newbie
 
Registered: Aug 2004
Posts: 4

Rep: Reputation: 0
Firestarter - lot's of activity on ports 138, 137


I'm a home desktop user and know very little about security but I am on a cable modem connected to a home network four port router. Everything is on most of the day so I make sure I have a firewall running, even if I don't completely understand it - I am trying to learn though. Anyway, I recently installed Mandrake 10 (a clean install from 9.2) and I activated the basic firewall during the installation proceedure. Today, I thought I'd install Firestarter because it has the nifty hit logging function. As soon as I started Firestarter, I got a series of hits:

Time: Aug 13 15:22:36 Source: 192.168.2.10 Destination: 192.168.2.255 In IF: eth0 Out IF: Port: 138 Length: 214 ToS: 0x00 Protocol: udp Service: netbios-dgm
Time: Aug 13 15:22:43 Source: 192.168.2.10 Destination: 192.168.2.255 In IF: eth0 Out IF: Port: 137 Length: 96 ToS: 0x00 Protocol: udp Service: netbios-ns
Time: Aug 13 15:22:49 Source: 192.168.2.10 Destination: 192.168.2.255 In IF: eth0 Out IF: Port: 138 Length: 214 ToS: 0x00 Protocol: udp Service: netbios-dgm
Time: Aug 13 15:24:42 Source: 192.168.2.10 Destination: 192.168.2.255 In IF: eth0 Out IF: Port: 137 Length: 78 ToS: 0x00 Protocol: udp Service: netbios-ns
Time: Aug 13 15:24:47 Source: 192.168.2.10 Destination: 192.168.2.255 In IF: eth0 Out IF: Port: 137 Length: 78 ToS: 0x00 Protocol: udp Service: netbios-ns
Time: Aug 13 15:24:47 Source: 192.168.2.10 Destination: 192.168.2.255 In IF: eth0 Out IF: Port: 138 Length: 202 ToS: 0x00 Protocol: udp Service: netbios-dgm

It went on like this for about 15 minutes then I got tired of looking at it and set a rule to block and stop logging port. Anyone know what all this activity is about?
 
Old 08-13-2004, 08:38 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That looks like MS Windows netbios broadcasts from a host with the IP of 192.168.2.10. If you are on a network with MS Windows systems (esp. if one happens to have that IP), then seeing lots of netbios traffic isn't abnormal.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Close ports 137 and 138 samba server? hacinn Linux - Security 2 06-24-2004 06:58 AM
Why does Samba send malformed UDP packets to 137 and 138? The Dartman Linux - Networking 2 04-12-2004 03:28 PM
TCP packets port 135,137,138,139 Gilion Linux - Networking 1 10-27-2003 09:11 AM
Can't firewall udp ports 137 and 138 dbaker Linux - Security 4 06-29-2003 03:41 PM
Can/should I close NetBIOS ports 137, 138, 139 ? Q*Bert Linux - Security 24 03-28-2003 04:50 AM


All times are GMT -5. The time now is 01:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration