Sign in to follow this  
Followers 0

Tons of Netbios 137 connections outbound?


6 posts in this topic

Posted

I run peerblock on my home server to cut down on the spam traffic I get (run my own mail server). It works well, but I've noticed lately tons of outgoing connections on port 137 (netbios). What's strange though is that none of these connections show up in TCPView or Resource Monitor (win 2k8r2).

post-26332-0-55712800-1333059318.png

I've tried shutting off peerblock, and checking TCPView and RM, but still do not see any outgoing 137 connections, only when PB is up. The countries listed worry me somewhat (china, iran, saudi arabia, russia, etc) but I've done everything from Malware checks to antivirus scans, nothing comes up.

Google produces no results for the cause of this, so wondering if anyone has any ideas?

Share this post


Link to post
Share on other sites

Posted

more connections

post-26332-0-50543900-1333073183_thumb.p

Share this post


Link to post
Share on other sites

Posted

I run peerblock on my home server to cut down on the spam traffic I get (run my own mail server).

Many people claim this program is more trouble than it's worth. But the idea is sound. Would Spam Assassin would be more useful? Many ISPs use it.

http://spamassassin.apache.org/

It works well, but I've noticed lately tons of outgoing connections on port 137 (netbios). What's strange though is that none of these connections show up in TCPView or Resource Monitor (win 2k8r2).

I can't see anything that says TCPView monitors NETBIOS (NETBEUI) packets. It only seems to do TCP (and UDP)? Does that mean it only does TCP/IP? I can't tell. I keep NETBEUI disabled on my XP computer. I used to get lots of stray NETBEUI packets from Korea.

A search for

port 137

gave me plenty of info.

http://www.grc.com/port_137.htm

Some packet monitoring programs only show successful connections, or ones where a packet is returned.

Have you tried WireShark (used to be called Ethereal)?

I've tried shutting off peerblock, and checking TCPView and RM, but still do not see any outgoing 137 connections, only when PB is up.

I guess this is PB trying to link to other PB servers to update its ban lists.

The countries listed worry me somewhat (china, iran, saudi arabia, russia, etc) but I've done everything from Malware checks to antivirus scans, nothing comes up.

These countries are know for P2P servers as well as spambots.

Google produces no results for the cause of this, so wondering if anyone has any ideas?

It might be normal behaviour for PB. Maybe it's just trying to get in touch with other PB computers.

Share this post


Link to post
Share on other sites

Posted

solved. Turned out to be an issue either with a hyper-v vm or the network card. Removing the network card from the Hyper-v networking pool stopped the connections

Share this post


Link to post
Share on other sites

Posted

I keep NETBEUI disabled on my XP computer

Your confusing protocols here -- netbios is NOT netbeui, netbios use to run over netbeui sure back in the day when that was actually an active protocol.

As to 137 packets -- you prob did not see them in net tcpview because its normally udp packets. I would have to assume some form of name resolution windows was trying to do.

What you should of done is take a sniff to see what was going on and the details of the packets that were going out on 137.

Share this post


Link to post
Share on other sites

Posted

Many people claim this program is more trouble than it's worth. But the idea is sound. Would Spam Assassin would be more useful? Many ISPs use it.

http://spamassassin.apache.org/

I can't see anything that says TCPView monitors NETBIOS (NETBEUI) packets. It only seems to do TCP (and UDP)? Does that mean it only does TCP/IP? I can't tell. I keep NETBEUI disabled on my XP computer. I used to get lots of stray NETBEUI packets from Korea.

A search for

port 137

gave me plenty of info.

http://www.grc.com/port_137.htm

Some packet monitoring programs only show successful connections, or ones where a packet is returned.

Have you tried WireShark (used to be called Ethereal)?

I guess this is PB trying to link to other PB servers to update its ban lists.

These countries are know for P2P servers as well as spambots.

It might be normal behaviour for PB. Maybe it's just trying to get in touch with other PB computers.

I forgot to mention that I do run spamassassin as well, but when I get spam from multiple :25 connections on the same /24 subnet, I go and then block that subnet completely, because where there's spam, there could be other things lurking that may try and connect over other ports. That, and I never have any business with countries like Russia, Iran, North Korea, Libya, etc...so I use Peerblock to block the entire set of countries so that they can't connect to me

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.