TCP Port 139

Common Use

Netbios Session Service is used for resource sharing on Windows 9x, ME and NT.  This is the port that is used to connect file shares for example.

Inbound Traffic

Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked.  While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer.  Once connected they can download, upload or even delete or edit files on the connected file share.

If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.

Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.  If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.

Additional Information

CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares

Page last updated on February 09, 2004