Solved

Annoying Windows traffic

Posted on 2004-04-16
9
513 Views
Last Modified: 2013-12-04
All

I have the following traffic logged on one of my firewalls:

[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:09:59] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:10.0.0.1:137 -> 218.93.22.170:137, udplen:50
[16/Apr/2004 10:10:00] DROP "AnnoyingLogFiller" packet to External WAN - Onboard NIC, proto:UDP, len:78, ip/port:11.0.0.1:137 -> 218.93.22.170:137, udplen:50

The 10 and 11 IP range NICs are on the machine in question and the 218 address is unrelated to my network. This is obviously annoying windows nbt traffic. The thing is both 10 and 11 NICs have NBT traffic disabled and have nothing but TCP and network monitor services bound to them.

Any thoughts
Cheers

JamesDS

0
Comment
Question by:JamesDS
9 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10843011
As far as I can see, 218.93.22.170 is a Chinese ip-number ...

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10843397
trywaredk
Thank you for the comment and the link
However, I do not believe that this is a virus or spyware.

The traffic logged is from the actual firewall - the 10 and 11 addresses are the IPs of the second and third interfaces on the firewall. Further, the firewall is secured from traffic on these interfaces and cannot be used for browsing the internet. On top of that it has comprehensive 3 layer antivirus, anti-spoofing and does not accept binary headers. Lastly, the machine is baselined against a Virtual Machine and the two systems (with no interconnection) still compare precisely in their files and relevant registry settings.

I believe that the traffic is not the symptom of something nasty but something I can configure out of the OS, hence the question.

Nevertheless, I have run further AD and spyware checks to be sure and can confirm there is nothing on this server that shouldn't be there.

Cheers

JamesDS
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10844791
Try this to get rid of it
Click Start, point to Settings, and then click Network Connections.
Right-click the local area connection that you want to be statically configured, and then click Properties.
Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the WINS tab.
Click Disable NetBIOS over TCP/IP.


http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608 
NetBios name service (udp 137) is routable as it's wrapped in udp.
http://www.iss.net/security_center/advice/Exploits/Ports/137/default.htm
A few more thing about netbios.
http://support.microsoft.com/default.aspx?scid=kb;en-us;128233
http://support.microsoft.com/default.aspx?scid=kb;EN-US;139608 
-rich
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10844872
richrumble

yup, done that, see original post: >>both 10 and 11 NICs have NBT traffic disabled

Cheers

JamesDS
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10845562
To turn netbios off completely, you have to turn off Client for M$ networks, and file and print sharing.
network connections, local area connection, Advanced, advanced settings. uncheck the two.

That is the only way to rid yourself completely. This will cause you to not be able to establish SMB connections to other M$ boxes and shares.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx#XSLTsection127121120120

Otherwise, your box will send netbios requests, and you will log them in your FW.
-rich
0
 
LVL 16

Author Comment

by:JamesDS
ID: 10846615
richrumble

Ta for the link, I may end up using it in the end.

You're technically correct of course on how to kill it completely but it doesn't explain why i'm getting traffic outbound beyond the network. The chinese IP is not unique, i see log traffic to 50 different IPs in a 24hr period - with no possibility of a virus and NBT disabled on the external interfaces I am at a loss.

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
ID: 10846693
This may sound silly but have you made any firmware updates  to your internet router?
I found a site with odd logs warns and discovered they were using a netgear router. It was throwing out all sorts of traffic until I shutdown feature set that have come with a new update.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 10847155
You'll note that you've disabled netbios over TCP... UDP is a backup... if that makes sense. UDP is connection-less, which really just means that there is no Error-Correction in the OSI stack.  From the Iana pages... http://www.iana.org/assignments/port-numbers
netbios-ns      137/tcp    NETBIOS Name Service    <---
netbios-ns      137/udp    NETBIOS Name Service    <---- both :)
The UDP portion is the default protocol for a SMB attempt... the TCP is the more reliable, and a fall back if UDP fails.
http://www.microsoft.com/technet/security/guidance/secmod153.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;138086  <---- finally found it!
 By default Winsock applications that use the gethostbyIP() function with the intention of doing reverse DNS lookups cause Netbios Adapter Status (udp/137) probes to be sent to the IP address that is being queried.

whew... I knew it was out there... The remedy we've discussed, or another FW on that offending pc like ZoneAlarm or something.
-rich

0
 
LVL 16

Author Comment

by:JamesDS
ID: 10875865
All

Thank for the help everyone, points to richrumble for the eventual solution and for the fact that he must have spent ages looking for it!

this link was the clincher: http://www.microsoft.com/technet/security/guidance/secmod153.mspx

Cheers

JamesDS
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Flux question 2 99
Nessus scan 5 269
suspending the anti virus 6 113
ransomware and redirected folders 9 95
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now