TCP Port 139
Netbios Session Service is used for resource sharing on Windows 9x, ME and
NT. This is the port that is used to connect file shares for example.
Inbound scans are typically systems which are trying to connect to file
shares that might be available on your system and hence these should be
blocked. While most of this traffic is the result of worms or viruses which
can use open file shares to propagate, they also can be the result of malicious users
attempt to connect to your computer. Once connected they can download,
upload or even delete or edit files on the connected file share.
If you use open file shares (including sharing of printers, etc) on your
local network (LAN), then you should be using a firewall such that your local
file shares are not accessible from the internet.
Connecting to open file shares is likely the easiest and most common hack on
the internet and yet one of the most effective for malicious activities like
identity theft or installing RATs (Remote Access Trojans) to take control of
systems remotely for example.
Outbound scans if occurring in volume should be considered an indication of a
possible worm infection on the source computer and should be investigated.
If there are systems to which you remotely connect to, then those systems should
be marked as trusted IPs within Link Logger such that future authorized events will
logged as normal traffic.
CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
Page last updated on
February 09, 2004