Security Basics mailing list archives

Re: UDP Port 137 Question

From: JGrimshaw () ASAP com
Date: Wed, 21 Jan 2004 08:33:12 -0600

I am thinking that is the Netbios name resolution attempting to do just 
that.

If you unclick the check boxes to use Netbios for name resolution on the 
servers that are doing this, the problem might stop. 

If your network is dependent on WINS, though, then you may have problems 
if everything internal isn't listed in a DNS server somewhere.  Even 
though these were public addresses the servers attempted to resolve, who 
knows what internal lookups they are doing. 





"John Smithson" <why1234 () hotmail com> 
01/20/2004 02:16 PM

To
security-basics () securityfocus com
cc

Subject
UDP Port 137 Question






Gurus,

I have couple of servers that are constantly trying to go outbound on UDP 
Port 137 (Nbname).  The event is occurring 4-5 times per second.  All 
outbound traffic is being dropped by my firewall.  However, I am just 
trying 
to find out what is the reason -

I have AV on the server with latest definition - I have ran manual AV Scan 
- 
I have ran Welchia / Nimda / etc removal tool - I have ran Spyware removal 

tool - All of them comes up clean. The outbound address are for example: 
156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 -- 145.46.77.202-241 
- 
There are more of these network ranges ( I have already done whois on all 
these IP range)

Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest HF.

Please help me to isolate what I am facing?  This should not be a normal 
Traffic Pattern, since only couple of my servers are producing this 
traffic

TIA

_________________________________________________________________
Let the new MSN Premium Internet Software make the most of your high-speed 

experience. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 

course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion 
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course! 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

Current thread:

UDP Port 137 Question John Smithson (Jan 20)
- Re: UDP Port 137 Question JGrimshaw (Jan 21)
- Re: UDP Port 137 Question JGrimshaw (Jan 26)
- <Possible follow-ups>
- Re: UDP Port 137 Question H Carvey (Jan 21)
- Re: UDP Port 137 Question Jeff Friend (Jan 21)
- Re: UDP Port 137 Question H Carvey (Jan 22)
- RE: UDP Port 137 Question Mark A. Villanova (Jan 26)
  - RE: UDP Port 137 Question P Cannon (Jan 27)
    - RE: UDP Port 137 Question Sarbjit Singh Gill (Jan 28)
    - Re: UDP Port 137 Question John LeMay (Jan 28)
- RE: UDP Port 137 Question Darrell Porter (Jan 27)
  - RE: UDP Port 137 Question JGrimshaw (Jan 27)

(Thread continues...)