Hacked!!! Question on port 137

[Ralph Gustavsen]

I've recently had my linksys befsx41 router hacked.

I've installed a packet sniffer and am watching the logs. Im noticing a
random UDP Packet being sent out port 137 from my XP pro box. Its going to a
few addresses in asia. Should I be overly concerned with this? It happens in
safe mode which strikes me as odd. No viruses, trojans etc found.

Thanks in advance,

Ralph Gustavsen

 

[Shenan Stanley]

Ralph Gustavsen wrote:
> I've recently had my linksys befsx41 router hacked.
>
> I've installed a packet sniffer and am watching the logs. Im
> noticing a random UDP Packet being sent out port 137 from my XP pro
> box. Its going to a few addresses in asia. Should I be overly
> concerned with this? It happens in safe mode which strikes me as
> odd. No viruses, trojans etc found.

Buy a new router and/or change all your passwords on the router - turn off
remote management completely in fact.
Did you have a software firewall on your comouter(s) as well?

Password protected systems?
Diligent backups? (If so - you may be safest wiping and installing from
scratch on everyone and restoring only files/stuff you have backed up - not
system files, just your stuff.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Ralph Gustavsen]

I had remote flash enabled. Bad.

I've reflashed it with the latest, changed passwords. Lots of backups,
strong passwords on everything, win2k3 server and xp pro.

I was just curious about the strange udp packet going out. It looks like a
netbios packet, im just not sure if i should be worried, or reformat.

Thanks!

"Shenan Stanley" wrote:

> Ralph Gustavsen wrote:
> > I've recently had my linksys befsx41 router hacked.
> >
> > I've installed a packet sniffer and am watching the logs. Im
> > noticing a random UDP Packet being sent out port 137 from my XP pro
> > box. Its going to a few addresses in asia. Should I be overly
> > concerned with this? It happens in safe mode which strikes me as
> > odd. No viruses, trojans etc found.
>
> Buy a new router and/or change all your passwords on the router - turn off
> remote management completely in fact.
> Did you have a software firewall on your comouter(s) as well?
>
> Password protected systems?
> Diligent backups? (If so - you may be safest wiping and installing from
> scratch on everyone and restoring only files/stuff you have backed up - not
> system files, just your stuff.)
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>

 

[Anteaus]

Port 137 is used for netbios name resolution, and it is normal to find
broadcasts going-on all the time, within the confines of the LAN, or more
specifically within the local subnet. What is strange, though, is that your
router redirects these to the Internet. That shouldn't happen, and it
suggests there is something not quite right with the router's firewall
policies.

"Ralph Gustavsen" wrote:

>
> I was just curious about the strange udp packet going out. It looks like a
> netbios packet, im just not sure if i should be worried, or reformat.
>