Unknown Outgoing Connections on UDP Port 137

My firewall is showing outgoing connections on port 137 to a variety of external IP addresses (about 15 or so) - none that are familiar.  This leads me to believe something rogue running, but I've done virus scan, spybot, adaware, defender, etc. and nothing is showing up.

I ran TCPView and the only process that is using that port is "System:4" ...  That process is using the other NetBIOS ports 138 and 139 too.  I dont believe I have any need for NetBios but before turning it off or blocking this port all together, I'd like to get to the bottom of what is going on.  

Any suggestions?

LVL 1
Tom FI.T. and Support Staff ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnb6767Commented:
Have you looked into the remote addresses to resolve what types of sites they are?
0
johnb6767Commented:
SYSTEM is normal to have some connections established/listening...

Definately dont think a NetBios connection should be going out to the internet. Try enabling the SP2 Firewall, and enabling the log, and might be able to find more what is launching this....
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
I tried WHOIS - 3 of them are in a microsoft block of IPs?  Some others include AT&T,  Level 3, and Akamai
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

johnb6767Commented:
I would disable it....
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
As I mentioned in OP, I can do disable/block that port alltogether, but I'd really like to identify the cause first.
0
johnb6767Commented:
Wireshark: Go deep.
http://www.wireshark.org/

Run a sniff on the line, to see if you can read the packets and get more info.....
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
They are all labeled Name query NBSTAT

They all contain:

0000  00 90 7f 3e 31 a4 00 19  d1 26 95 bc 08 00 45 00   ...>1... .&....E.
0010  00 4e e4 7e 00 00 80 11  6b 7f 0a 00 00 20 df 01   .N.~.... k.... ..
0020  01 80 00 89 00 89 00 3a  2d 99 a7 f4 00 00 00 01   .......: -.......
0030  00 00 00 00 00 00 20 43  4b 41 41 41 41 41 41 41   ...... C KAAAAAAA
0040  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41   AAAAAAAA AAAAAAAA
0050  41 41 41 41 41 41 41 00  00 21 00 01               AAAAAAA. .!..    
0
johnb6767Commented:
start>run>cmd

nbtstat -c
nbtstat -s

Can you paste the output please?
0
johnb6767Commented:
My mistake...

nbtstat -S    <~~~ notice the capital S....
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
Node IpAddress: [10.0.0.32] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    CASTOR.ISA.COM <20>  UNIQUE          10.0.0.11           325



C:\Documents and Settings\etf>nbtstat -S

Local Area Connection:
Node IpAddress: [10.0.0.32] Scope Id: []

    No Connections
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
Well, I've seemed to have corrected the problem, but if you can help me understand what was going on (as a learning experience) I'd be grateful.  

In the advanced TCPIP properties for that connection, on the WINS tab, the default netbios setting was selected.  Disabling NetBIOS overTCP/IP made those connections disappear.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnb6767Commented:
Really cant.  

Shouldnt go across the WAN, always thought they were supposed to stay internal.....
0
jsiwekCommented:
Although this question has been closed for some time, I just wanted to add this comment in case others out there were banging their head against the wall like I was thinking they had a server that had been compromised in some way.

I had a newWindows 2008R2 server with IIS7 and began to see outgoing UDP packets on port 137 being blocked and logged by our firewall.  It was intermittently happening when a user would connect to our web server, with no apparent pattern.

I finally traced it back to the Performance Monitor. For some reason, perfmon is attempting a reverse DNS lookup for every user that connects to our web site. For the reverse DNS lookups that fail, it would attempt a NETBIOS-NS (Windows name) lookup on port 137.  When I closed Perfmon, the traffic on port 137 stopped. When I started it back up again, they returned.

I have no idea why Perfmon would be attempting a reverse DNS lookup for every web user connection - that investigation begins now.  But, at least now I know that it is not a virus, worm or some sort of compromised security mechanism.

I hope this helps!
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
Thanks for the info jsiwek.  I'd be curious to learn of your findings.
0
jsiwekCommented:


In the Windows Reliability and Performance Monitor, there is a Network resource view that shows all the current connections to the server, and by default shows the reverse DNS or netbios-NS value of the user. So unfortunately it looks like the gethostbyaddr() function is embedded in its core functionality.

There is also a "Failed DNS Resolutions" counter for the Microsoft Firewall Service in performance monitor.

I do not think there is a way to modify this behavior.  If anyone know how to configure the performance monitor through a config utility or registry entries, please let us know.

Thanks!
0
jsiwekCommented:

You can run perfmon.exe /sys from the command line (or a shortcut to perfmon.exe) and it will open Performance Monitor only.

HOWEVER, there is no way to save the performace counters in perfmon.exe. Ridiculous. Anyway, what I have done for now is saved a version with all my counters with the full Reliability & Performance Monitor, and just copy & paste the counters from that into my perfmon instance & just leave it open. If I reboot, I just have to copy all the counters again instead of having to remembering all of them every time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.