Tons of Netbios 137 connections outbound?

By SirEvan
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

SirEvan

Posted
Posted

I run peerblock on my home server to cut down on the spam traffic I get (run my own mail server). It works well, but I've noticed lately tons of outgoing connections on port 137 (netbios). What's strange though is that none of these connections show up in TCPView or Resource Monitor (win 2k8r2).

post-26332-0-55712800-1333059318.png

I've tried shutting off peerblock, and checking TCPView and RM, but still do not see any outgoing 137 connections, only when PB is up. The countries listed worry me somewhat (china, iran, saudi arabia, russia, etc) but I've done everything from Malware checks to antivirus scans, nothing comes up.

Google produces no results for the cause of this, so wondering if anyone has any ideas?

Link to comment
Share on other sites
Enthusiast

Ntrstd

Posted
Posted

I run peerblock on my home server to cut down on the spam traffic I get (run my own mail server).

Many people claim this program is more trouble than it's worth. But the idea is sound. Would Spam Assassin would be more useful? Many ISPs use it.

http://spamassassin.apache.org/

It works well, but I've noticed lately tons of outgoing connections on port 137 (netbios). What's strange though is that none of these connections show up in TCPView or Resource Monitor (win 2k8r2).

I can't see anything that says TCPView monitors NETBIOS (NETBEUI) packets. It only seems to do TCP (and UDP)? Does that mean it only does TCP/IP? I can't tell. I keep NETBEUI disabled on my XP computer. I used to get lots of stray NETBEUI packets from Korea.

A search for

port 137

gave me plenty of info.

http://www.grc.com/port_137.htm

Some packet monitoring programs only show successful connections, or ones where a packet is returned.

Have you tried WireShark (used to be called Ethereal)?

I've tried shutting off peerblock, and checking TCPView and RM, but still do not see any outgoing 137 connections, only when PB is up.

I guess this is PB trying to link to other PB servers to update its ban lists.

The countries listed worry me somewhat (china, iran, saudi arabia, russia, etc) but I've done everything from Malware checks to antivirus scans, nothing comes up.

These countries are know for P2P servers as well as spambots.

Google produces no results for the cause of this, so wondering if anyone has any ideas?

It might be normal behaviour for PB. Maybe it's just trying to get in touch with other PB computers.

Link to comment
Share on other sites
Grand Master

SirEvan

Posted
  • Author
Posted

solved. Turned out to be an issue either with a hyper-v vm or the network card. Removing the network card from the Hyper-v networking pool stopped the connections

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I keep NETBEUI disabled on my XP computer

Your confusing protocols here -- netbios is NOT netbeui, netbios use to run over netbeui sure back in the day when that was actually an active protocol.

As to 137 packets -- you prob did not see them in net tcpview because its normally udp packets. I would have to assume some form of name resolution windows was trying to do.

What you should of done is take a sniff to see what was going on and the details of the packets that were going out on 137.

Link to comment
Share on other sites
  • 2 months later...
Grand Master

SirEvan

Posted
  • Author
Posted

Many people claim this program is more trouble than it's worth. But the idea is sound. Would Spam Assassin would be more useful? Many ISPs use it.

http://spamassassin.apache.org/

I can't see anything that says TCPView monitors NETBIOS (NETBEUI) packets. It only seems to do TCP (and UDP)? Does that mean it only does TCP/IP? I can't tell. I keep NETBEUI disabled on my XP computer. I used to get lots of stray NETBEUI packets from Korea.

A search for

port 137

gave me plenty of info.

http://www.grc.com/port_137.htm

Some packet monitoring programs only show successful connections, or ones where a packet is returned.

Have you tried WireShark (used to be called Ethereal)?

I guess this is PB trying to link to other PB servers to update its ban lists.

These countries are know for P2P servers as well as spambots.

It might be normal behaviour for PB. Maybe it's just trying to get in touch with other PB computers.

I forgot to mention that I do run spamassassin as well, but when I get spam from multiple :25 connections on the same /24 subnet, I go and then block that subnet completely, because where there's spam, there could be other things lurking that may try and connect over other ports. That, and I never have any business with countries like Russia, Iran, North Korea, Libya, etc...so I use Peerblock to block the entire set of countries so that they can't connect to me

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing