UDP 137 port probes
 

Ever since I set up my firewall settings to catch log UDP port opens, I've been getting a lot of UDP 137 port opens when running my Gnutella client (limewire). About every 15 minutes a new one comes in from a different source.

I'm not a TCP expert, 137 is listed as netbios nameserver service in /etc/services. Only two possiblilites come to mind. Either some gnutella client is trying to use this service for some unknown but legitimate purpose, or someone as learned that the gnutella network protocol provides a rich source of IP addresses that can be probed for security holes. The second possibility seems to be the more probable of the two.

Intresting, I dont know what it means but it makes ya wonder....

Heres an example from another thing I have noticed. An ip was nocking at my firewall hours after I was off line but it would increment port numbers each time. Say for example 63.227.9.161:11661 then 63.227.9.161:11662 etc....

I have no idea why..

Sounds like u were being port scanned, its commonly used by hackers to see if u have got any open ports that they can use to get into your system, but seeing as u had a firewall up and running I wouldn't worry too much.
On the UDP port front, just a note TCP and UDP are 2 separate protocols under the connection protocol of IP, so becarefull when looking up the port numbers as u can have 2 different (although unlikely) types of service running on TCP and UDP

Got the following response from one of the ISP's that I reported this to. I guess I can stop worrying about it.

Thank you for your contact.

This is not a probe... A connection from source port 137 to destination
port 137 using the UDP protocol is result of windows networking
misconfiguration.

Excuse the poor gramar and spelling I really am dyslexic.

Well even ISPs run portscans looking for "illegal" servers, and port scanning isn't illegal.
I think your ISP is full of it and trying to alay your fears.
What are the originating IP addresses? Many kiddies run portscans. I am on a cable modem network in a very small town of less than 10,000, I get on average 20 port scans a week. This is mostly L337 Haxor wannabees right here in town. Given the right script tools they can and will hose up your system ask anyone who has been rooted. Usually they are using class 3 or non-routable ip address trying here to sneak into a poorly secured boxes and home networks. The set up of the cable network here allows for these supposed internal or non-routable ips to be used. Your computer should be set to reject all outside class3 ip and outside non-routable addresses as a default, and not running netbios or open windoz shares at all if you don't need them.
Your ISP dosen't give a hoot for a residental accounts security so you have to do it on your own. Some don't give a flying leap for the commercial customers security. You need to learn it and protect your self. If a endloser like me can learn it anyone can. All most ISP care about is the check you send them every month.

this is a windooze box,trying to ask you about your netbios shares. Could be misconfig, could be whatever.

I, anyway, never understood thse guys who connect a windooze box directly to the net... nor people using gnutella on windows... aren't you afraid?

Wow, and I thought the people at hotline were dorks.