Jump to content



Photo

Tons of Netbios 137 connections outbound?

netbios ports

  • Please log in to reply
5 replies to this topic

#1 SirEvan

SirEvan

    Neowinian Senior

  • Joined: 17-April 03
  • Location: Santa Clara, CA
  • OS: Windows 8
  • Phone: HTC One (AT&T)

Posted 29 March 2012 - 22:16

I run peerblock on my home server to cut down on the spam traffic I get (run my own mail server). It works well, but I've noticed lately tons of outgoing connections on port 137 (netbios). What's strange though is that none of these connections show up in TCPView or Resource Monitor (win 2k8r2).

netbios.png

I've tried shutting off peerblock, and checking TCPView and RM, but still do not see any outgoing 137 connections, only when PB is up. The countries listed worry me somewhat (china, iran, saudi arabia, russia, etc) but I've done everything from Malware checks to antivirus scans, nothing comes up.

Google produces no results for the cause of this, so wondering if anyone has any ideas?


#2 OP SirEvan

SirEvan

    Neowinian Senior

  • Joined: 17-April 03
  • Location: Santa Clara, CA
  • OS: Windows 8
  • Phone: HTC One (AT&T)

Posted 30 March 2012 - 02:06

more connections

Attached Images

  • netbios.png


#3 Ntrstd

Ntrstd

    Neowinian

  • Joined: 29-July 11

Posted 30 March 2012 - 04:04

I run peerblock on my home server to cut down on the spam traffic I get (run my own mail server).


Many people claim this program is more trouble than it's worth. But the idea is sound. Would Spam Assassin would be more useful? Many ISPs use it.
http://spamassassin.apache.org/


It works well, but I've noticed lately tons of outgoing connections on port 137 (netbios). What's strange though is that none of these connections show up in TCPView or Resource Monitor (win 2k8r2).


I can't see anything that says TCPView monitors NETBIOS (NETBEUI) packets. It only seems to do TCP (and UDP)? Does that mean it only does TCP/IP? I can't tell. I keep NETBEUI disabled on my XP computer. I used to get lots of stray NETBEUI packets from Korea.
A search for
port 137
gave me plenty of info.
http://www.grc.com/port_137.htm

Some packet monitoring programs only show successful connections, or ones where a packet is returned.
Have you tried WireShark (used to be called Ethereal)?


I've tried shutting off peerblock, and checking TCPView and RM, but still do not see any outgoing 137 connections, only when PB is up.


I guess this is PB trying to link to other PB servers to update its ban lists.


The countries listed worry me somewhat (china, iran, saudi arabia, russia, etc) but I've done everything from Malware checks to antivirus scans, nothing comes up.


These countries are know for P2P servers as well as spambots.


Google produces no results for the cause of this, so wondering if anyone has any ideas?


It might be normal behaviour for PB. Maybe it's just trying to get in touch with other PB computers.

#4 OP SirEvan

SirEvan

    Neowinian Senior

  • Joined: 17-April 03
  • Location: Santa Clara, CA
  • OS: Windows 8
  • Phone: HTC One (AT&T)

Posted 30 March 2012 - 04:29

solved. Turned out to be an issue either with a hyper-v vm or the network card. Removing the network card from the Hyper-v networking pool stopped the connections

#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 86
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 30 March 2012 - 12:34

I keep NETBEUI disabled on my XP computer

Your confusing protocols here -- netbios is NOT netbeui, netbios use to run over netbeui sure back in the day when that was actually an active protocol.

As to 137 packets -- you prob did not see them in net tcpview because its normally udp packets. I would have to assume some form of name resolution windows was trying to do.

What you should of done is take a sniff to see what was going on and the details of the packets that were going out on 137.

#6 OP SirEvan

SirEvan

    Neowinian Senior

  • Joined: 17-April 03
  • Location: Santa Clara, CA
  • OS: Windows 8
  • Phone: HTC One (AT&T)

Posted 21 June 2012 - 18:51

Many people claim this program is more trouble than it's worth. But the idea is sound. Would Spam Assassin would be more useful? Many ISPs use it.
http://spamassassin.apache.org/




I can't see anything that says TCPView monitors NETBIOS (NETBEUI) packets. It only seems to do TCP (and UDP)? Does that mean it only does TCP/IP? I can't tell. I keep NETBEUI disabled on my XP computer. I used to get lots of stray NETBEUI packets from Korea.
A search for
port 137
gave me plenty of info.
http://www.grc.com/port_137.htm

Some packet monitoring programs only show successful connections, or ones where a packet is returned.
Have you tried WireShark (used to be called Ethereal)?




I guess this is PB trying to link to other PB servers to update its ban lists.




These countries are know for P2P servers as well as spambots.




It might be normal behaviour for PB. Maybe it's just trying to get in touch with other PB computers.


I forgot to mention that I do run spamassassin as well, but when I get spam from multiple :25 connections on the same /24 subnet, I go and then block that subnet completely, because where there's spam, there could be other things lurking that may try and connect over other ports. That, and I never have any business with countries like Russia, Iran, North Korea, Libya, etc...so I use Peerblock to block the entire set of countries so that they can't connect to me



Click here to login or here to register to remove this ad, it's free!