Outbound UDP traffic on port 137 and 138 HELP!!

My ISP has sent me a second notice that they see port scanning traffic coming from my public IP.  I have a static address, so I am sure it is my traffic.  They say that it is UDP traffic, but that is about all I have to go on.  I enabled logging for all UDP traffic from the LAN to WAN in my router.  I see several computer flooding traffic to public IPs using UDP on port 137 and 138.

I have ran all Windows updates and ran virus scans and haven't come up with anything.  I have run netstat -p udp 1 to try to see any UDP traffic from one of the offending computers, but it never turns up anything.

PLEASE HELP!
UDP-Log.txt
tech1984Asked:
Who is Participating?
 
atlas_shudderedConnect With a Mentor Sr. Network EngineerCommented:
Try running these apps on the affected machines:

http://www.pctools.com/spyware-doctor/

http://www.avast.com/

The idea being to run something different than what you have loaded already to get around any circumvention that may already be in place.
0
 
tech1984Author Commented:
I blocked all outbound traffic on ports 137 and 138.  This looks like it fixes the problem that the ISP is seeing, but I still need suggestions on finding the source.

Thanks,
0
 
atlas_shudderedSr. Network EngineerCommented:
What type of switch is your router connected to?  Model?  Any open ports on it?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
tech1984Author Commented:
HP ProCurve 1400-24G J9078A (24 port Gig switch).
Yes, I have open ports.
0
 
atlas_shudderedSr. Network EngineerCommented:
Set up a port mirror of the port your router is connected to - to one of your open ports.  To the mirror port, connect a host with a packet sniffer loaded (you may want to try WireShark as its open source and free).  Once you've done this, set up a filter in the sniffer limiting your recording to udp packets only.  From the capture you should be able to see the originating IP/s.


The two ports that you have listed above are generally used by NetBIOS, specifically for file transfer, at the very least, you did the right thing blocking it at router as you definitely don't want it chatting to the world.
0
 
tech1984Author Commented:
I am sorry for the delay in the response... I didn't see the reply.

My router is actually logging the the IPs that are generating the traffic.  My problem is that I go to those computers and I can't figure out what in the world is causing it.  I ran some utilities to monitor the traffic and I saw consitant NetBIOS traffic going out, but I don't know why or what process i generating it.

Any ideas on how to track this down?
0
 
tech1984Author Commented:
It doesn't seem to be much of a problem right now.  When I get some time I will do the suggested.  Thanks for all the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.