Solved

Annoying Windows traffic

Posted on 2004-04-16
9
515 Views
Last Modified: 2013-12-04
All

I have the following traffic logged on one of my firewalls:

[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50

The 10 and 11 IP range NICs are on the machine in question and the 218 address is unrelated to my network. This is obviously annoying windows nbt traffic. The thing is both 10 and 11 NICs have NBT traffic disabled and have nothing but TCP and network monitor services bound to them.

Any thoughts
Cheers

JamesDS

0
Comment
Question by:JamesDS
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10843011
As far as I can see, 218.93.22.170 is a Chinese ip-number ...

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10843397
trywaredk
Thank you for the comment and the link
However, I do not believe that this is a virus or spyware.

The traffic logged is from the actual firewall - the 10 and 11 addresses are the IPs of the second and third interfaces on the firewall. Further, the firewall is secured from traffic on these interfaces and cannot be used for browsing the internet. On top of that it has comprehensive 3 layer antivirus, anti-spoofing and does not accept binary headers. Lastly, the machine is baselined against a Virtual Machine and the two systems (with no interconnection) still compare precisely in their files and relevant registry settings.

I believe that the traffic is not the symptom of something nasty but something I can configure out of the OS, hence the question.

Nevertheless, I have run further AD and spyware checks to be sure and can confirm there is nothing on this server that shouldn't be there.

Cheers

JamesDS
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10844791
Try this to get rid of it
Click Start, point to Settings, and then click Network Connections.
Right-click the local area connection that you want to be statically configured, and then click Properties.
Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
Click Disable NetBIOS over TCP/IP.


http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608 
NetBios name service (udp 137) is routable as it's wrapped in udp.
http://www.iss.net/security_center/advice/Exploits/Ports/137/default.htm
A few more thing about netbios.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233
http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608 
-rich
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 16

Author Comment

by:JamesDS
ID: 10844872
richrumble

yup, done that, see original post: >>both 10 and 11 NICs have NBT traffic disabled

Cheers

JamesDS
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10845562
To turn netbios off completely, you have to turn off Client for M$ networks, and file and print sharing.
network connections, local area connection, Advanced, advanced settings. uncheck the two.

That is the only way to rid yourself completely. This will cause you to not be able to establish SMB connections to other M$ boxes and shares.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx#XSLTsection127121120120

Otherwise, your box will send netbios requests, and you will log them in your FW.
-rich
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10846615
richrumble

Ta for the link, I may end up using it in the end.

You're technically correct of course on how to kill it completely but it doesn't explain why i'm getting traffic outbound beyond the network. The chinese IP is not unique, i see log traffic to 50 different IPs in a 24hr period - with no possibility of a virus and NBT disabled on the external interfaces I am at a loss.

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
ID: 10846693
This may sound silly but have you made any firmware updates  to your internet router?
I found a site with odd logs warns and discovered they were using a netgear router. It was throwing out all sorts of traffic until I shutdown feature set that have come with a new update.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 10847155
You'll note that you've disabled netbios over TCP... UDP is a backup... if that makes sense. UDP is connection-less, which really just means that there is no Error-Correction in the OSI stack.  From the Iana pages... http://www.iana.org/assignments/port-numbers
netbios-ns      137/tcp    NETBIOS Name Service    <---
netbios-ns      137/udp    NETBIOS Name Service    <---- both :)
The UDP portion is the default protocol for a SMB attempt... the TCP is the more reliable, and a fall back if UDP fails.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;138086  <---- finally found it!
 By default Winsock applications that use the gethostbyIP() function with the intention of doing reverse DNS lookups cause Netbios Adapter Status (udp/137) probes to be sent to the IP address that is being queried.

whew... I knew it was out there... The remedy we've discussed, or another FW on that offending pc like ZoneAlarm or something.
-rich

0
 
LVL 16

Author Comment

by:JamesDS
ID: 10875865
All

Thank for the help everyone, points to richrumble for the eventual solution and for the fact that he must have spent ages looking for it!

this link was the clincher: http://www.microsoft.com/technet/security/guidance/secmod153.mspx

Cheers

JamesDS
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question