Security Basics mailing list archives

RE: UDP Port 137 Question

From: "Mark A. Villanova" <mark () helixsecurity net>
Date: Thu, 22 Jan 2004 23:44:03 -0600

That's NBT, probably WINS lookups..  Win2k/2003 should be using DNS only
if you ask me.  

Mark Villanova
Mobile: 817.271.6096
mvillanova () stellarconnection com
http://www.stellarconnection.com

-----Original Message-----
From: John Smithson [mailto:why1234 () hotmail com] 
Sent: Tuesday, January 20, 2004 2:16 PM
To: security-basics () securityfocus com
Subject: UDP Port 137 Question

Gurus,

I have couple of servers that are constantly trying to go outbound on
UDP Port 137 (Nbname).  The event is occurring 4-5 times per second.
All outbound traffic is being dropped by my firewall.  However, I am
just trying to find out what is the reason -

I have AV on the server with latest definition - I have ran manual AV
Scan - I have ran Welchia / Nimda / etc removal tool - I have ran
Spyware removal tool - All of them comes up clean. The outbound address
are for example: 
156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 --
145.46.77.202-241 - There are more of these network ranges ( I have
already done whois on all these IP range)

Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest
HF.

Please help me to isolate what I am facing?  This should not be a normal
Traffic Pattern, since only couple of my servers are producing this
traffic

TIA

_________________________________________________________________
Let the new MSN Premium Internet Software make the most of your
high-speed experience.
http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1


------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any 
course! All of our class sizes are guaranteed to be 10 students or less.

We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------

Current thread:

UDP Port 137 Question John Smithson (Jan 20)
- Re: UDP Port 137 Question JGrimshaw (Jan 21)
- Re: UDP Port 137 Question JGrimshaw (Jan 26)
- <Possible follow-ups>
- Re: UDP Port 137 Question H Carvey (Jan 21)
- Re: UDP Port 137 Question Jeff Friend (Jan 21)
- Re: UDP Port 137 Question H Carvey (Jan 22)
- RE: UDP Port 137 Question Mark A. Villanova (Jan 26)
  - RE: UDP Port 137 Question P Cannon (Jan 27)
    - RE: UDP Port 137 Question Sarbjit Singh Gill (Jan 28)
    - Re: UDP Port 137 Question John LeMay (Jan 28)
- RE: UDP Port 137 Question Darrell Porter (Jan 27)
  - RE: UDP Port 137 Question JGrimshaw (Jan 27)
- RE: UDP Port 137 Question Darrell Porter (Jan 28)
- RE: UDP Port 137 Question Patrick A. Middleton (Jan 28)
- RE: UDP Port 137 Question John Smithson (Jan 28)
- RE: UDP Port 137 Question Depp, Dennis M. (Jan 28)