Solved

Annoying Windows traffic

Posted on 2004-04-16
9
512 Views
Last Modified: 2013-12-04
All

I have the following traffic logged on one of my firewalls:

[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50

The 10 and 11 IP range NICs are on the machine in question and the 218 address is unrelated to my network. This is obviously annoying windows nbt traffic. The thing is both 10 and 11 NICs have NBT traffic disabled and have nothing but TCP and network monitor services bound to them.

Any thoughts
Cheers

JamesDS

0
Comment
Question by:JamesDS
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10843011
As far as I can see, 218.93.22.170 is a Chinese ip-number ...

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10843397
trywaredk
Thank you for the comment and the link
However, I do not believe that this is a virus or spyware.

The traffic logged is from the actual firewall - the 10 and 11 addresses are the IPs of the second and third interfaces on the firewall. Further, the firewall is secured from traffic on these interfaces and cannot be used for browsing the internet. On top of that it has comprehensive 3 layer antivirus, anti-spoofing and does not accept binary headers. Lastly, the machine is baselined against a Virtual Machine and the two systems (with no interconnection) still compare precisely in their files and relevant registry settings.

I believe that the traffic is not the symptom of something nasty but something I can configure out of the OS, hence the question.

Nevertheless, I have run further AD and spyware checks to be sure and can confirm there is nothing on this server that shouldn't be there.

Cheers

JamesDS
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10844791
Try this to get rid of it
Click Start, point to Settings, and then click Network Connections.
Right-click the local area connection that you want to be statically configured, and then click Properties.
Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
Click Disable NetBIOS over TCP/IP.


http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608
NetBios name service (udp 137) is routable as it's wrapped in udp.
http://www.iss.net/security_center/advice/Exploits/Ports/137/default.htm
A few more thing about netbios.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233
http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608
-rich
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10844872
richrumble

yup, done that, see original post: >>both 10 and 11 NICs have NBT traffic disabled

Cheers

JamesDS
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10845562
To turn netbios off completely, you have to turn off Client for M$ networks, and file and print sharing.
network connections, local area connection, Advanced, advanced settings. uncheck the two.

That is the only way to rid yourself completely. This will cause you to not be able to establish SMB connections to other M$ boxes and shares.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx#XSLTsection127121120120

Otherwise, your box will send netbios requests, and you will log them in your FW.
-rich
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10846615
richrumble

Ta for the link, I may end up using it in the end.

You're technically correct of course on how to kill it completely but it doesn't explain why i'm getting traffic outbound beyond the network. The chinese IP is not unique, i see log traffic to 50 different IPs in a 24hr period - with no possibility of a virus and NBT disabled on the external interfaces I am at a loss.

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
ID: 10846693
This may sound silly but have you made any firmware updates  to your internet router?
I found a site with odd logs warns and discovered they were using a netgear router. It was throwing out all sorts of traffic until I shutdown feature set that have come with a new update.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 10847155
You'll note that you've disabled netbios over TCP... UDP is a backup... if that makes sense. UDP is connection-less, which really just means that there is no Error-Correction in the OSI stack.  From the Iana pages... http://www.iana.org/assignments/port-numbers
netbios-ns      137/tcp    NETBIOS Name Service    <---
netbios-ns      137/udp    NETBIOS Name Service    <---- both :)
The UDP portion is the default protocol for a SMB attempt... the TCP is the more reliable, and a fall back if UDP fails.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;138086  <---- finally found it!
 By default Winsock applications that use the gethostbyIP() function with the intention of doing reverse DNS lookups cause Netbios Adapter Status (udp/137) probes to be sent to the IP address that is being queried.

whew... I knew it was out there... The remedy we've discussed, or another FW on that offending pc like ZoneAlarm or something.
-rich

0
 
LVL 16

Author Comment

by:JamesDS
ID: 10875865
All

Thank for the help everyone, points to richrumble for the eventual solution and for the fact that he must have spent ages looking for it!

this link was the clincher: http://www.microsoft.com/technet/security/guidance/secmod153.mspx

Cheers

JamesDS
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now