RE: UDP Port 137 Question

[Darrell Porter <dporter () cpp com>]

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

will be most enlightening.

Computer Browser
The Computer Browser system service maintains an up-to-date list of
computers on your network and supplies the list to programs that request it.
The Computer Browser service is used by Windows-based computers to view
network domains and resources. Computers that are designated as browsers
maintain browse lists that contain all shared resources that are used on the
network. Earlier versions of Windows programs, such as My Network Places,
the net view command, and Windows Explorer, all require browsing capability.
For example, when you open My Network Places on a computer that is running
Microsoft Windows 95, a list of domains and computers appears. To display
this list, the computer obtains a copy of the browse list from a computer
that is designated as a browser.

System service name: BrowserApplication protocol Protocol Ports 
NetBIOS Datagram Service UDP 138 
NetBIOS Name Resolution UDP 137 
NetBIOS Name Resolution TCP 137 
NetBIOS Session Service TCP 139 

-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Monday, January 26, 2004 9:11
Cc: security-basics () securityfocus com
Subject: Re: UDP Port 137 Question


Hi everyone,

I am curious as to what the resolution for this was.

I did not receive a message that "X" fixed it; did anyone receive one? 





Gurus,

I have couple of servers that are constantly trying to go outbound on UDP 
Port 137 (Nbname).  The event is occurring 4-5 times per second.  All 
outbound traffic is being dropped by my firewall.  However, I am just 
trying 
to find out what is the reason -

I have AV on the server with latest definition - I have ran manual AV Scan 
- 
I have ran Welchia / Nimda / etc removal tool - I have ran Spyware removal 

tool - All of them comes up clean. The outbound address are for example: 
156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 -- 145.46.77.202-241 
- 
There are more of these network ranges ( I have already done whois on all 
these IP range)

Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest HF.

Please help me to isolate what I am facing?  This should not be a normal 
Traffic Pattern, since only couple of my servers are producing this 
traffic

TIA






---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------