- Posts: 101
- Thank you received: 0
Question with port 137
20 years 11 months ago #2027
by Neon
Question with port 137 was created by Neon
I know this will lack in detail but I would like to know if this can be done....
I run windows on my gateway, and someone told my sister that they got our IP address through MSN Messenger (not really concerned about that), then they said that they 'Entered' the gateway through port 137, accessed the registry and stole the cd-key.
I do run a firewall on the server, and have done security checks and all the ports I can see (definitely 137) are on stealth status.
Just want to ask is it actually possible to do what I described above?
I'm still waiting to talk to this person again and see how he done it (if it’s true)
I run windows on my gateway, and someone told my sister that they got our IP address through MSN Messenger (not really concerned about that), then they said that they 'Entered' the gateway through port 137, accessed the registry and stole the cd-key.
I do run a firewall on the server, and have done security checks and all the ports I can see (definitely 137) are on stealth status.
Just want to ask is it actually possible to do what I described above?
I'm still waiting to talk to this person again and see how he done it (if it’s true)
20 years 11 months ago #2032
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Question with port 137
Neon,
If they told you they accessed your computer and stole the cdkey, did they present any data to prove that or did you take their word that they managed to break into the pc?
On the other hand, if you blocked port 137, and they did get in, there are three possibilities that I can think of:
1) Your firewall somehow allowed the port, due to a misconfiguration or bug which you might be unaware of.
2) Port 139, 138 were used to complete the attack. Windows uses ports 137, 138 and 139 but i cant remember what each are for... (its 9pm and im still at work :> )
3) -The most likely one aswell - , they got in through another program, eg messenger, mirc or some type of peer-to-peer application.
There are a number of holes and bugs in the various programs we use, so anyone with enough knowledge is able to use them to gain access to data we want to protect.
You might also want to run a personal firewall if the data on the server is sensitive.
Hope this helps.
Cheers,
If they told you they accessed your computer and stole the cdkey, did they present any data to prove that or did you take their word that they managed to break into the pc?
On the other hand, if you blocked port 137, and they did get in, there are three possibilities that I can think of:
1) Your firewall somehow allowed the port, due to a misconfiguration or bug which you might be unaware of.
2) Port 139, 138 were used to complete the attack. Windows uses ports 137, 138 and 139 but i cant remember what each are for... (its 9pm and im still at work :> )
3) -The most likely one aswell - , they got in through another program, eg messenger, mirc or some type of peer-to-peer application.
There are a number of holes and bugs in the various programs we use, so anyone with enough knowledge is able to use them to gain access to data we want to protect.
You might also want to run a personal firewall if the data on the server is sensitive.
Hope this helps.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
20 years 11 months ago #2036
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Question with port 137
137 is NetBIOS Name Service, and 139 is NetBIOS Session...
Any half ass firewall will block inbound port 137 and 139 by default. These ports might become an issue if you were sharing files.. something that I assume you aren't doing..
Further more, for them to be able to get your IP address off MSN they would have to have a file transfer get started (there is another way that was recently spoken about on the security lists.. but the new version 6.1 covered that.. not to mention its would be very difficult to execute)
Next.. if someone had access to your machine.. the last thing they would do would be steal the CD-KEY from the registry.
Based on what you've told me, I'd be very highly inclined to think this is bullshit...
As Chris said.. wheres the proof ?
And take it from me, anyone who spends their time with 'hacks' like these are more likely to just delete your files than do anything else.
Just put some heat on them.. tell them your firewall logged the IP address and you've submitted to Dshield as well as sent off a mail to their ISP informing them about the matter.. tell them that you told their IP was listed at Dshield as an offender and the ISP is taking the matter very seriously.
In case you're the paranoid sort, I would just run a portscan over my machine.. from some machine on the other side of the firewall (you can get a friend to do it) and see what you see.
Oh yeah if they stole a CD-key they're also violating piracy laws (or so you can tell 'em )
Cheers,
Any half ass firewall will block inbound port 137 and 139 by default. These ports might become an issue if you were sharing files.. something that I assume you aren't doing..
Further more, for them to be able to get your IP address off MSN they would have to have a file transfer get started (there is another way that was recently spoken about on the security lists.. but the new version 6.1 covered that.. not to mention its would be very difficult to execute)
Next.. if someone had access to your machine.. the last thing they would do would be steal the CD-KEY from the registry.
Based on what you've told me, I'd be very highly inclined to think this is bullshit...
As Chris said.. wheres the proof ?
And take it from me, anyone who spends their time with 'hacks' like these are more likely to just delete your files than do anything else.
Just put some heat on them.. tell them your firewall logged the IP address and you've submitted to Dshield as well as sent off a mail to their ISP informing them about the matter.. tell them that you told their IP was listed at Dshield as an offender and the ISP is taking the matter very seriously.
In case you're the paranoid sort, I would just run a portscan over my machine.. from some machine on the other side of the firewall (you can get a friend to do it) and see what you see.
Oh yeah if they stole a CD-key they're also violating piracy laws (or so you can tell 'em )
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2038
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Question with port 137
Oh one more thing, I just had a look at your IP address (the forums let admins and moderators see the IP posted from) and it seems to be assigned to you dynamically... in other words every time you connect you're getting a different IP
I'm assuming you're posting from the supposedly 'compromised' machine. :roll:
You could have a look at the 'Locking Down Win9x' article under the 'Firewalls' section at the top of the site.. I'm not sure how up-to-date it is, but the same basic tenets apply everywhere.
Lemme know if theres anything else you want to know.
I'm assuming you're posting from the supposedly 'compromised' machine. :roll:
You could have a look at the 'Locking Down Win9x' article under the 'Firewalls' section at the top of the site.. I'm not sure how up-to-date it is, but the same basic tenets apply everywhere.
Lemme know if theres anything else you want to know.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 11 months ago #2044
by Dudbolt
Replied by Dudbolt on topic Re: Question with port 137
If you want to check the port 137, google over to gibson research centre and run the port scanner, some very interesting results can be had....
Db
Db
20 years 11 months ago #2045
by Neon
Replied by Neon on topic Re: Question with port 137
Thank ya for all the replies...
I agree with saying that it probably was BS, I ran ALL security tests on grc.com AND sygate security scan and they all came back as my system is going to be safe it can be for a windows based OS.
I run ZoneAlarm on the main server, so if it did get infected with a Trojan, well hopefully ZA would of come up with a popup box telling me this runme.exe program wanted to access the Internet .
(Just like that stupid email virus subject "I love you (IM not a VIRUS!)" haha I laughed my guts out that day)
Half of the problem is also my sister’s description. In her past using the Internet she did get a Trojan with the old excuse "Heres a screen saver", the bastard was doing the normal stuff kids do i.e. making cd-rom open and close, flip monitor etc... good to know she unplugged the comp straight away before anything else could of been done, so I do think that experience had let her a bit paranoid about if someone says they can get into our gateway, and to make it harder, this person she was talking to is an actual hacker, (i.e. has been banned from using a comp for a few years) or so I have heard.
But from where it stands now I think its total BS. But I do agree with you Chris saying that if he DID get in, it would have been because of MSN Messenger.
Note: Speaking of messenger sahirh, I found that out too with the old version.. Doing a file transfer, then I wondered if it was a direct connection, typed up netstat and there you go someone’s IP address
I agree with saying that it probably was BS, I ran ALL security tests on grc.com AND sygate security scan and they all came back as my system is going to be safe it can be for a windows based OS.
I run ZoneAlarm on the main server, so if it did get infected with a Trojan, well hopefully ZA would of come up with a popup box telling me this runme.exe program wanted to access the Internet .
(Just like that stupid email virus subject "I love you (IM not a VIRUS!)" haha I laughed my guts out that day)
Half of the problem is also my sister’s description. In her past using the Internet she did get a Trojan with the old excuse "Heres a screen saver", the bastard was doing the normal stuff kids do i.e. making cd-rom open and close, flip monitor etc... good to know she unplugged the comp straight away before anything else could of been done, so I do think that experience had let her a bit paranoid about if someone says they can get into our gateway, and to make it harder, this person she was talking to is an actual hacker, (i.e. has been banned from using a comp for a few years) or so I have heard.
But from where it stands now I think its total BS. But I do agree with you Chris saying that if he DID get in, it would have been because of MSN Messenger.
Note: Speaking of messenger sahirh, I found that out too with the old version.. Doing a file transfer, then I wondered if it was a direct connection, typed up netstat and there you go someone’s IP address
Time to create page: 0.133 seconds