Security Basics mailing list archives

RE: UDP Port 137 Question

From: JGrimshaw () ASAP com
Date: Tue, 27 Jan 2004 08:20:52 -0600

Thanks Darrell,

That's what I had thought (and posted my views) but the original poster (
"John Smithson" <why1234 () hotmail com>) had never said what the resolution 
was.  There were a number of replies that correlated with the netbios, and 
others that said it may be a virus.  I was just curious to see what the 
actual problem was.

I posted my request for a resolution to the group, as I do not seem to get 
all of the mailing list messages or I get them very delayed sometimes.  I 
didn't want to miss out on it!





Darrell Porter <dporter () cpp com> 
01/26/2004 09:20 PM

To
"'JGrimshaw () ASAP com'" <JGrimshaw () ASAP com>
cc
security-basics () securityfocus com
Subject
RE: UDP Port 137 Question







http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

will be most enlightening.

Computer Browser
The Computer Browser system service maintains an up-to-date list of
computers on your network and supplies the list to programs that request 
it.
The Computer Browser service is used by Windows-based computers to view
network domains and resources. Computers that are designated as browsers
maintain browse lists that contain all shared resources that are used on 
the
network. Earlier versions of Windows programs, such as My Network Places,
the net view command, and Windows Explorer, all require browsing 
capability.
For example, when you open My Network Places on a computer that is running
Microsoft Windows 95, a list of domains and computers appears. To display
this list, the computer obtains a copy of the browse list from a computer
that is designated as a browser.

System service name: BrowserApplication protocol Protocol Ports 
NetBIOS Datagram Service UDP 138 
NetBIOS Name Resolution UDP 137 
NetBIOS Name Resolution TCP 137 
NetBIOS Session Service TCP 139 

-----Original Message-----
From: JGrimshaw () ASAP com [mailto:JGrimshaw () ASAP com]
Sent: Monday, January 26, 2004 9:11
Cc: security-basics () securityfocus com
Subject: Re: UDP Port 137 Question


Hi everyone,

I am curious as to what the resolution for this was.

I did not receive a message that "X" fixed it; did anyone receive one? 





Gurus,

I have couple of servers that are constantly trying to go outbound on UDP 
Port 137 (Nbname).  The event is occurring 4-5 times per second.  All 
outbound traffic is being dropped by my firewall.  However, I am just 
trying 
to find out what is the reason -

I have AV on the server with latest definition - I have ran manual AV Scan 

- 
I have ran Welchia / Nimda / etc removal tool - I have ran Spyware removal 


tool - All of them comes up clean. The outbound address are for example: 
156.67.52.182 to 156.67.52.204 --- 9.108.180.138-154 -- 145.46.77.202-241 
- 
There are more of these network ranges ( I have already done whois on all 
these IP range)

Oh yeah - the servers are Win2k with SP3 or Win2k with SP4 with latest HF.

Please help me to isolate what I am facing?  This should not be a normal 
Traffic Pattern, since only couple of my servers are producing this 
traffic

TIA






---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 

course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion 
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course! 
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

Current thread:

Re: UDP Port 137 Question, (continued)
- Re: UDP Port 137 Question JGrimshaw (Jan 21)
- Re: UDP Port 137 Question JGrimshaw (Jan 26)
- Re: UDP Port 137 Question H Carvey (Jan 21)
- Re: UDP Port 137 Question Jeff Friend (Jan 21)
- Re: UDP Port 137 Question H Carvey (Jan 22)
- RE: UDP Port 137 Question Mark A. Villanova (Jan 26)
  - RE: UDP Port 137 Question P Cannon (Jan 27)
    - RE: UDP Port 137 Question Sarbjit Singh Gill (Jan 28)
    - Re: UDP Port 137 Question John LeMay (Jan 28)
- RE: UDP Port 137 Question Darrell Porter (Jan 27)
  - RE: UDP Port 137 Question JGrimshaw (Jan 27)
- RE: UDP Port 137 Question Darrell Porter (Jan 28)
- RE: UDP Port 137 Question Patrick A. Middleton (Jan 28)
- RE: UDP Port 137 Question John Smithson (Jan 28)
- RE: UDP Port 137 Question Depp, Dennis M. (Jan 28)