Question with port 137

I know this will lack in detail but I would like to know if this can be done....

I run windows on my gateway, and someone told my sister that they got our IP address through MSN Messenger (not really concerned about that), then they said that they 'Entered' the gateway through port 137, accessed the registry and stole the cd-key.

I do run a firewall on the server, and have done security checks and all the ports I can see (definitely 137) are on stealth status.

Just want to ask is it actually possible to do what I described above?

I'm still waiting to talk to this person again and see how he done it (if it’s true)

Neon,

If they told you they accessed your computer and stole the cdkey, did they present any data to prove that or did you take their word that they managed to break into the pc?

On the other hand, if you blocked port 137, and they did get in, there are three possibilities that I can think of:

1) Your firewall somehow allowed the port, due to a misconfiguration or bug which you might be unaware of.

2) Port 139, 138 were used to complete the attack. Windows uses ports 137, 138 and 139 but i cant remember what each are for... (its 9pm and im still at work :> )

3) -The most likely one aswell - , they got in through another program, eg messenger, mirc or some type of peer-to-peer application.

There are a number of holes and bugs in the various programs we use, so anyone with enough knowledge is able to use them to gain access to data we want to protect.

You might also want to run a personal firewall if the data on the server is sensitive.

Hope this helps.

Cheers,

137 is NetBIOS Name Service, and 139 is NetBIOS Session...

Any half ass firewall will block inbound port 137 and 139 by default. These ports might become an issue if you were sharing files.. something that I assume you aren't doing..

Further more, for them to be able to get your IP address off MSN they would have to have a file transfer get started (there is another way that was recently spoken about on the security lists.. but the new version 6.1 covered that.. not to mention its would be very difficult to execute)

Next.. if someone had access to your machine.. the last thing they would do would be steal the CD-KEY from the registry.

Based on what you've told me, I'd be very highly inclined to think this is bullshit...

As Chris said.. wheres the proof ?

And take it from me, anyone who spends their time with 'hacks' like these are more likely to just delete your files than do anything else.

Just put some heat on them.. tell them your firewall logged the IP address and you've submitted to Dshield as well as sent off a mail to their ISP informing them about the matter.. tell them that you told their IP was listed at Dshield as an offender and the ISP is taking the matter very seriously.

In case you're the paranoid sort, I would just run a portscan over my machine.. from some machine on the other side of the firewall (you can get a friend to do it) and see what you see.

Oh yeah if they stole a CD-key they're also violating piracy laws (or so you can tell 'em )

Cheers,

Oh one more thing, I just had a look at your IP address (the forums let admins and moderators see the IP posted from) and it seems to be assigned to you dynamically... in other words every time you connect you're getting a different IP

I'm assuming you're posting from the supposedly 'compromised' machine. :roll:



You could have a look at the 'Locking Down Win9x' article under the 'Firewalls' section at the top of the site.. I'm not sure how up-to-date it is, but the same basic tenets apply everywhere.

Lemme know if theres anything else you want to know.

If you want to check the port 137, google over to gibson research centre and run the port scanner, some very interesting results can be had....

Db

Thank ya for all the replies...

I agree with saying that it probably was BS, I ran ALL security tests on grc.com AND sygate security scan and they all came back as my system is going to be safe it can be for a windows based OS.

I run ZoneAlarm on the main server, so if it did get infected with a Trojan, well hopefully ZA would of come up with a popup box telling me this runme.exe program wanted to access the Internet .
(Just like that stupid email virus subject "I love you (IM not a VIRUS!)" haha I laughed my guts out that day)

Half of the problem is also my sister’s description. In her past using the Internet she did get a Trojan with the old excuse "Heres a screen saver", the bastard was doing the normal stuff kids do i.e. making cd-rom open and close, flip monitor etc... good to know she unplugged the comp straight away before anything else could of been done, so I do think that experience had let her a bit paranoid about if someone says they can get into our gateway, and to make it harder, this person she was talking to is an actual hacker, (i.e. has been banned from using a comp for a few years) or so I have heard.

But from where it stands now I think its total BS. But I do agree with you Chris saying that if he DID get in, it would have been because of MSN Messenger.

Note: Speaking of messenger sahirh, I found that out too with the old version.. Doing a file transfer, then I wondered if it was a direct connection, typed up netstat and there you go someone’s IP address