RE: UDP Port 137 Question

[Darrell Porter <dporter () cpp com>]

Well, the real solution is to stop running Microsoft operating systems. :P

Seriously though, constant vigilance is a good start.  If you maintain a
baseline of the activity your servers do normally, you can more easily spot
abnormalities before they cause you too much grief (or as happened to one of
my colleagues, before the FBI comes knocking on your door for having a
machine that continuously tried hacking them).

Darrell Porter
Director of Network Operations
CPP, Inc.
Davies-Black Publishing
http://www.cpp.com
800-624-1765

This email, and any files transmitted with it are confidential and intended
solely for the use of the addressee. This email may contain information
protected by attorney-client privilege. If you are not the intended
addressee, then you have received this email in error and that any use,
dissemination, forwarding, printing, or copying of this email is strictly
prohibited. 

CPP, Inc. will not be held liable to any person resulting from the use of
any information contained in this email. CPP, Inc. will not be liable to any
person who adds or deletes information contained in this email, and will not
be held liable to any person as a result of any additions or deletions of
information originally contained in this email.

If you received this e-mail in error or are not the intended recipient of
this message, contact the sender, darrell.porter () cpp com and destroy all
copies of this e-mail, including any printed or other physical format.

This e-mail, and any files transmitted with it contain information that is
CONFIDENTIAL AND PROPRIETARY to CPP, Inc.  Unauthorized disclosure of this
information is in violation of the policies and procedures of CPP, Inc. and
the laws of the State of California (California Penal Code Section 502) and
the United States of America (title 18 - Chapter 47, Section 1030)  and
international statues and is subject to criminal and civil penalties. All
information displayed, transmitted or carried on the CPP, Inc. network (CPP)
including, but not limited to, files, e-mail messages, directories, guides,
news articles, opinions, reviews, text, photographs, images, illustrations,
audio clips, video clips, trademarks, service marks and the like,
(collectively the "Content") is protected by copyright and other
intellectual property laws.



-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Tuesday, January 27, 2004 6:21
To: Darrell Porter
Cc: security-basics () securityfocus com
Subject: RE: UDP Port 137 Question


Thanks Darrell,

That's what I had thought (and posted my views) but the original poster (
"John Smithson" <why1234 () hotmail com>) had never said what the resolution 
was.  There were a number of replies that correlated with the netbios, and 
others that said it may be a virus.  I was just curious to see what the 
actual problem was.

I posted my request for a resolution to the group, as I do not seem to get 
all of the mailing list messages or I get them very delayed sometimes.  I 
didn't want to miss out on it!





Darrell Porter <dporter () cpp com> 
01/26/2004 09:20 PM

To
"'JGrimshaw () ASAP com'" <JGrimshaw () ASAP com>
cc
security-basics () securityfocus com
Subject
RE: UDP Port 137 Question







http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

will be most enlightening.

Computer Browser
The Computer Browser system service maintains an up-to-date list of
computers on your network and supplies the list to programs that request 
it.
The Computer Browser service is used by Windows-based computers to view
network domains and resources. Computers that are designated as browsers
maintain browse lists that contain all shared resources that are used on 
the
network. Earlier versions of Windows programs, such as My Network Places,
the net view command, and Windows Explorer, all require browsing 
capability.
For example, when you open My Network Places on a computer that is running
Microsoft Windows 95, a list of domains and computers appears. To display
this list, the computer obtains a copy of the browse list from a computer
that is designated as a browser.

System service name: BrowserApplication protocol Protocol Ports 
NetBIOS Datagram Service UDP 138 
NetBIOS Name Resolution UDP 137 
NetBIOS Name Resolution TCP 137 
NetBIOS Session Service TCP 139 

-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Monday, January 26, 2004 9:11
Cc: security-basics () securityfocus com
Subject: Re: UDP Port 137 Question


Hi everyone,

I am curious as to what the resolution for this was.

I did not receive a message that "X" fixed it; did anyone receive one? 





Gurus,

I have couple of servers that are constantly trying to go outbound on UDP 
Port 137 (Nbname).  The event is occurring 4-5 times per second.  All 
outbound traffic is being dropped by my firewall.  However, I am just 
trying 
to find out what is the reason -

I have AV on the server with latest definition - I have ran manual AV Scan 

- 
I have ran Welchia / Nimda / etc removal tool - I have ran Spyware removal 


tool - All of them comes up clean. The outbound address are for example: 
156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 -- 145.46.77.202-241 
- 
There are more of these network ranges ( I have already done whois on all 
these IP range)

Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest HF.

Please help me to isolate what I am facing?  This should not be a normal 
Traffic Pattern, since only couple of my servers are producing this 
traffic

TIA






---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 

course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion 
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course! 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------