Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Annoying Windows traffic

Posted on 2004-04-16
9
Medium Priority
?
533 Views
Last Modified: 2013-12-04
All

I have the following traffic logged on one of my firewalls:

[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50

The 10 and 11 IP range NICs are on the machine in question and the 218 address is unrelated to my network. This is obviously annoying windows nbt traffic. The thing is both 10 and 11 NICs have NBT traffic disabled and have nothing but TCP and network monitor services bound to them.

Any thoughts
Cheers

JamesDS

0
Comment
Question by:JamesDS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10843011
As far as I can see, 218.93.22.170 is a Chinese ip-number ...

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10843397
trywaredk
Thank you for the comment and the link
However, I do not believe that this is a virus or spyware.

The traffic logged is from the actual firewall - the 10 and 11 addresses are the IPs of the second and third interfaces on the firewall. Further, the firewall is secured from traffic on these interfaces and cannot be used for browsing the internet. On top of that it has comprehensive 3 layer antivirus, anti-spoofing and does not accept binary headers. Lastly, the machine is baselined against a Virtual Machine and the two systems (with no interconnection) still compare precisely in their files and relevant registry settings.

I believe that the traffic is not the symptom of something nasty but something I can configure out of the OS, hence the question.

Nevertheless, I have run further AD and spyware checks to be sure and can confirm there is nothing on this server that shouldn't be there.

Cheers

JamesDS
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 10844791
Try this to get rid of it
Click Start, point to Settings, and then click Network Connections.
Right-click the local area connection that you want to be statically configured, and then click Properties.
Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
Click Disable NetBIOS over TCP/IP.


http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608 
NetBios name service (udp 137) is routable as it's wrapped in udp.
http://www.iss.net/security_center/advice/Exploits/Ports/137/default.htm
A few more thing about netbios.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233
http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608 
-rich
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 16

Author Comment

by:JamesDS
ID: 10844872
richrumble

yup, done that, see original post: >>both 10 and 11 NICs have NBT traffic disabled

Cheers

JamesDS
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 10845562
To turn netbios off completely, you have to turn off Client for M$ networks, and file and print sharing.
network connections, local area connection, Advanced, advanced settings. uncheck the two.

That is the only way to rid yourself completely. This will cause you to not be able to establish SMB connections to other M$ boxes and shares.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx#XSLTsection127121120120

Otherwise, your box will send netbios requests, and you will log them in your FW.
-rich
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10846615
richrumble

Ta for the link, I may end up using it in the end.

You're technically correct of course on how to kill it completely but it doesn't explain why i'm getting traffic outbound beyond the network. The chinese IP is not unique, i see log traffic to 50 different IPs in a 24hr period - with no possibility of a virus and NBT disabled on the external interfaces I am at a loss.

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
ID: 10846693
This may sound silly but have you made any firmware updates  to your internet router?
I found a site with odd logs warns and discovered they were using a netgear router. It was throwing out all sorts of traffic until I shutdown feature set that have come with a new update.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 10847155
You'll note that you've disabled netbios over TCP... UDP is a backup... if that makes sense. UDP is connection-less, which really just means that there is no Error-Correction in the OSI stack.  From the Iana pages... http://www.iana.org/assignments/port-numbers
netbios-ns      137/tcp    NETBIOS Name Service    <---
netbios-ns      137/udp    NETBIOS Name Service    <---- both :)
The UDP portion is the default protocol for a SMB attempt... the TCP is the more reliable, and a fall back if UDP fails.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;138086  <---- finally found it!
 By default Winsock applications that use the gethostbyIP() function with the intention of doing reverse DNS lookups cause Netbios Adapter Status (udp/137) probes to be sent to the IP address that is being queried.

whew... I knew it was out there... The remedy we've discussed, or another FW on that offending pc like ZoneAlarm or something.
-rich

0
 
LVL 16

Author Comment

by:JamesDS
ID: 10875865
All

Thank for the help everyone, points to richrumble for the eventual solution and for the fact that he must have spent ages looking for it!

this link was the clincher: http://www.microsoft.com/technet/security/guidance/secmod153.mspx

Cheers

JamesDS
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question