RE: UDP Port 137 Question

["John Smithson" <why1234 () hotmail com>]

Hello everyone,

I had sent out thanks to everyone email last week- however, so far I did not 
seem to be seen by the newsgroup.  Anyways - here is the result-

Again thanks for everyone's input - I have used Fport and various utilities 
suggested by eveyone - The result was as expeted - 137 was used by the 
"system".  I had disabled the Wins, disabled file and sharing - all other 
suggestions were applied to the server-

The outbound traffic to unknown external IP address still continued.  So we 
had no other option but used the silver bullet - When in doubt wipe it - cut 
loss and move on -

As of now, one server was fresh installed with win2k sp4 - no outbound 
traffic to unknown external IP range, even with File and Print Sharing is 
enable and even with Wins is enable. We will monitor for some time and we 
will work on the second box.

Thanks for your help.


> -----Original Message-----
> From: John Smithson [mailto:why1234 () hotmail com]
> Sent: Tuesday, January 20, 2004 2:16 PM
> To: security-basics () securityfocus com
> Subject: UDP Port 137 Question
>
> Gurus,
>
> I have couple of servers that are constantly trying to go outbound on
> UDP Port 137 (Nbname).  The event is occurring 4-5 times per second.
> All outbound traffic is being dropped by my firewall.  However, I am
> just trying to find out what is the reason -
>
> I have AV on the server with latest definition - I have ran manual AV
> Scan - I have ran Welchia / Nimda / etc removal tool - I have ran
> Spyware removal tool - All of them comes up clean. The outbound address
> are for example:
> 156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 --
> 145.46.77.202-241 - There are more of these network ranges ( I have
> already done whois on all these IP range)
>
> Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest
> HF.
>
> Please help me to isolate what I am facing?  This should not be a normal
> Traffic Pattern, since only couple of my servers are producing this
> traffic
>
> TIA
>
> _________________________________________________________________
> Let the new MSN Premium Internet Software make the most of your
> high-speed experience.
> http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1
>
>
> ------------------------------------------------------------------------
> ---
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
> any
> course! All of our class sizes are guaranteed to be 10 students or less.
>
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
> Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720
> off
> any course!
> ------------------------------------------------------------------------
> ----
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
> course! All of our class sizes are guaranteed to be 10 students or less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> any course!
> ----------------------------------------------------------------------------

_________________________________________________________________
Find high-speed ‘net deals — comparison-shop your local providers here. 
https://broadband.msn.com


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------