• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2397
  • Last Modified:

Outbound UDP traffic on port 137 and 138 HELP!!

My ISP has sent me a second notice that they see port scanning traffic coming from my public IP.  I have a static address, so I am sure it is my traffic.  They say that it is UDP traffic, but that is about all I have to go on.  I enabled logging for all UDP traffic from the LAN to WAN in my router.  I see several computer flooding traffic to public IPs using UDP on port 137 and 138.

I have ran all Windows updates and ran virus scans and haven't come up with anything.  I have run netstat -p udp 1 to try to see any UDP traffic from one of the offending computers, but it never turns up anything.

PLEASE HELP!
UDP-Log.txt
0
tech1984
Asked:
tech1984
  • 4
  • 3
1 Solution
 
tech1984Author Commented:
I blocked all outbound traffic on ports 137 and 138.  This looks like it fixes the problem that the ISP is seeing, but I still need suggestions on finding the source.

Thanks,
0
 
atlas_shudderedSr. Network EngineerCommented:
What type of switch is your router connected to?  Model?  Any open ports on it?
0
 
tech1984Author Commented:
HP ProCurve 1400-24G J9078A (24 port Gig switch).
Yes, I have open ports.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
atlas_shudderedSr. Network EngineerCommented:
Set up a port mirror of the port your router is connected to - to one of your open ports.  To the mirror port, connect a host with a packet sniffer loaded (you may want to try WireShark as its open source and free).  Once you've done this, set up a filter in the sniffer limiting your recording to udp packets only.  From the capture you should be able to see the originating IP/s.


The two ports that you have listed above are generally used by NetBIOS, specifically for file transfer, at the very least, you did the right thing blocking it at router as you definitely don't want it chatting to the world.
0
 
tech1984Author Commented:
I am sorry for the delay in the response... I didn't see the reply.

My router is actually logging the the IPs that are generating the traffic.  My problem is that I go to those computers and I can't figure out what in the world is causing it.  I ran some utilities to monitor the traffic and I saw consitant NetBIOS traffic going out, but I don't know why or what process i generating it.

Any ideas on how to track this down?
0
 
atlas_shudderedSr. Network EngineerCommented:
Try running these apps on the affected machines:

http://www.pctools.com/spyware-doctor/

http://www.avast.com/

The idea being to run something different than what you have loaded already to get around any circumvention that may already be in place.
0
 
tech1984Author Commented:
It doesn't seem to be much of a problem right now.  When I get some time I will do the suggested.  Thanks for all the help.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now