Net BIOS Sessions
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Net BIOS Sessions

  1. #1
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171

    Net BIOS Sessions

    Everytime I come on the net at some point and sometimes more than once my firewall tells me that a Net BIOS Session tried to enter my computer...

    I am not very familiar with computers or the internet.

    I went to DNS on two of these occasions to trace the IP address that came with the alert...and one was a intenet provider in Sault Lake City ( 66.219.229.250 ) and the other was an internet provider in Los Angeles ( 216.70.236.200 )...it did not tell me who the last numbers applied to...

    I am not on a network, local or otherwise, this is a home/office personal computer

    My questions are:

    1. is this common for these sessions to come up?
    2. should I allow access?
    3. if it's not common then why is this happening?
    4. and how can I either stop it or track the culprits responsible?

    I am running Windows 2000 Pro service pack 4, with AVG free edition, Adware SE, Spyware Blaster, and a Zone Alarm firewall...80GB...384MB Ram...I don't know really what specs you need.

    Total computer experience about six months...internet about three months.

    Thanks !!!

  2. #2
    Banned
    Join Date
    Sep 2004
    Posts
    145
    I am impressed.


    6 months experience, and has AV, firewall, and patches.... Damn..


    Post the firewall logs. We'll take a look.

  3. #3
    Junior Member
    Join Date
    Dec 2004
    Posts
    3
    My questions are:

    1. is this common for these sessions to come up?
    2. should I allow access?
    3. if it's not common then why is this happening?
    4. and how can I either stop it or track the culprits responsible?
    1. No. If the service was disabled you wouldnt be getting notified by your firewall.

    2. NO!

    3. Its happening because NETBIOS is not disabled.

    4. As long as you have a copy of the logs from the firewall, Make sure to send them to the abuse team department through your ISP. Also, make sure to include the type of scan or probe the person did, aswell as your time, time zone, time of incident, etc... IMO I don't think its worth the time or effort to contact the abuse department about an issue like this.

    To disable NETBIOS on your system check out these articles from Microsoft:

    http://search.microsoft.com/search/r...+professional+

    http://support.microsoft.com/default...b;en-us;313314

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    1. No. If the service was disabled you wouldnt be getting notified by your firewall.

    2. NO!

    3. Its happening because NETBIOS is not disabled.
    NetBIOS disabled or not, your firewall will alert you of attempts to open a NetBIOS session. It simply means that someone is trying to open a NetBIOS session with your computer. If you have NetBIOS disabled, you're fine. If you don't have NetBIOS disabled, you're still fine: your firewall seems to do its job (but it's a good idea to disable NetBIOS if you're not using it - use the links IPAdmin provided). In any case, you're fine... NetBIOS attacks are common, and your firewall is blocking them...

  5. #5
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Thanks Winston, IPAdmin, and Negative

    First...to Winston

    In the log under protocol of 3016 intrusions blocked and 108 rated high it lists three items:
    TCP (flags:s )
    UPD
    ICMP (type8...

    under source DNS there are several different items:
    dialin-166-32.tor...
    dialin-165-32.tor.pr...
    dsl254-013-242.se...
    asnet01-1-122.au...
    outpost3b.pvt.prim...
    mstr81212-37000...
    dev06.stage.uunet...
    80.0/24.
    61-218-145-226.HI
    triton.cdlnet.com.br
    hlst-216-37-159-2...
    dialin-208-32.otta...
    dsl254-089-099.ny
    performance-chec...
    dialin214-67.kitch...

    and a few with nothing and one with my own comp name...but all say incoming...I've blocked 8 since checking this post.

    and thanks, I've got to get a head start on my two daughters 5&7 before they get smarter than the old man !!!

    For...IPAdmin

    I did what you said and both the file & printing and the client boxes were already unchecked...thanks, I didn't know that before.

    To Negative

    Thanks for the " I'm safe report " that's a relief because as you can see I get alot of these...sometimes one right after another...3016 over 3 mths=about 33 per day

    Now...can you guys enlighten me on what these terms mean, or if there are any I should do something about, and if so, what?

    And Happy New Year !!!!!

    Oh!...while on the subject of security and you are the experts, should I buy a router or is my security sufficient ?

  6. #6
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Iím NOT sure if I can help, but I will try ... DISCLAIMER: this is written for someone with little computer knowledge in an attempt that they understand it and become interested in learning more. And Iím drunk again, last day of vacation, so this may be long.

    As for learning, the best thing you can do is search through the forums and read. What you donít understand ( which will probably be most based on what you said ) jot down, search the forums and Google for answers. You will probably find that somewhere, someone has else has asked before, or even written a tutorial here on AO.. If you canít find it or still donít understand it then many here will attempt to help.

    As for the router: you did not say what type of connection you have, but it does add another layer of security. ( Look up: layered security )

    The NetBIOS: as Negative ( notice the title and greenies? Someone to be respected here, just read past posts to verify ) stated a little differently ... not to worry. It could be a virus or worm trying to scan your network for computers with these services open, could be a script-kiddie, or could be someone who unwittingly has these services turned on and is connected to the same sub-net. Itís aggravating, but donít take it personal. ( just to clarify here for those who would ... well, if you are on the Internet, you are on a network. Your ISP may filter some of these services based on their ports, or they may not. Even if they do, you may be on the same subnet with hundreds of others and receive these before they are filtered. )

    I mentioned before you should jot down and look up terms you do not understand, and I mentioned ports. I will try to explain both here:
    Think of your computer as an apartment complex. To send mail to the complex one would have to include on the envelope an address of the complex ( this would be your IP address, usually given to you dynamically through your ISP ( Internet Service Provider through DHCP ) but could be a Static address ( again assigned to you by your ISP, but does not change ). ( Term to look up here ď DHCP ď)

    If the person sending the mail did not care who received it, they may send a Broadcast ( with just the street or town as the address and ď resident ď as the recipient ). These would go to everybody in the area, or your sub-net. Then they would wait to see who replies. ( terms to look up here, ďsubnet maskĒ which is used to break down addresses into groups and ďBroadcast addressĒ )
    Now say they wanted to send it to you. You are in a specific apartment ( port ) in your apartment complex ( IP address: remember, your computer is the entire complex ). Well the apartment complex is BIG, has apartments numbered 1-65535. Now letís say this is a co-op. Some people bought adjoining apartments and combined them into one. So if someone sent the mail to apartment 137, 138, or 139 ( which had been joined ) the mail would go to the same place ( Netbios ).

    In this example ( which I believe has been used many times before but do not know who started it or if I have it the same ) the apartments are assigned in different ways. Apartments ( ports ) are assigned by the landlord ( ports by the IANA ) in a logical manner: permanent residents ( ď well known portsĒ ) are in apartments 0-1023, long term residents ( ď registered portsĒ ) are in apartments 1024-49151, and transients ( ďDynamic and/or Private Ports ď ) are those from 49152-65535 ( these usually change as programs open and close ).

    If you think that was complicated, wait, there is more, and here is where it really gets hairy. There are apartments ( or services ) that can help control the flow of mail to specific apartments. You will often see ports 135 ( DCE endpoint resolution ) and 136 ( PROFILE Naming System ) associated with Netbios and RPC ( Remote Procedure Call ). For the scope of this, lets just say that they are associated ( came out of WINS, or Windows Internet Naming Service. If you are building a firewall yourself you should never allow services on any these ports to enter OR leave your LAN ).

    Terms here to research: netbios
    RPC ( Remote Procedure Call )
    port number
    WINS ( Windows Internet Naming Service )
    LAN ( Local Area Network )
    RPC ( Remote Procedure Call )


    I did not get into " ICMP Type 8 requests ", but that is another term to search and has been discussed heavely on AO before.

    I hope I explained this in a manner which can be understood and showed how to research it further. To quote Tom Liston in the Sans Handler's Diary December 28th 2004
    COMPUTERS ARE NOT APPLIANCES. THEY ARE TOOLS. Tools require that their user be skilled. Tools require education and training to use.
    As for Winstonís comment
    6 months experience, and has AV, firewall, and patches.... Damn..
    Egaladeist must have a friend who is an AO member!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  7. #7
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi, I Know Not !

    I definitely did try to research the answer before posting. I first went to Microsoft TechNet, then I went to Webopedia, then to HowstuffWorks, then I went to Google and seached both "NetBIOS Sessions" and " DNS ", and I posted on two other forums and read maybe twenty articles before posting here.
    None of which explained "incoming" attacks or possible security violations.

    I also checked my IP which is dynamic, and tried to trace the alerts through the DNS station.

    I have standard dial-up.

    And the most popular port of call for these intrusions seems to be port 139...which I also checked on Microsoft TechNet.

    Altogether I spent...and this is not an exaggeration...about five hours trying to solve the problem myself which is why I ended up here. I was not looking for another forum to join...I came by you guys by accident while trying to solve this problem...then I spent another two hours trying to post here after I had registered until I realized that I had to go back and allow cookies which I had done but I must have done it wrong the first time.

    I agree that a person should assist in finding the answer and not just plop down a post and let everyone else do all the work...in fact I have solved many problems myself...but at the same time if there was a problem with my car or my leg I would not try to fix it myself, there are some things better left to the experts who can solve the problem without creating new ones.

    After wasting seven hours on this...seven hours I don't have to waste...I think I did my part or my obligation to try and figure it out for myself.


    You can assume from this point that if I make a post here I have devoted some time to trying to resolve it myself...it may be 30 min or seven hours...but I've made an effort as my time and circumstances allow.


    Right now I am very tired...I wish you a very Happy New Year!!!...I think it's time for me to get a couple hours sleep before the kids get up for breakfast.

    I'm up now and the kids aren't out of bed yet and I'm feeling a little better...I appreciate your help I Know Not especially with you being drunk and me being over-tired...but most of what you said I did find out in my own research...although very informative basic definitions of things did not answer my questions...but I do appreciate the response.

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I think you misunderstood! I was not criticizing you in any way, just trying to help. Most people who have had a computer for only six months and been online for only three know very little if anything other then how to send e-mail and chat.

    Since you asked the question, I thought I would try to explain it as well as how to search future topics. If it seemed otherwise I apologize. If I thought your post was out-of-line there would have been no mistake in my feelings, no doubt in my intentions, no chance for misinterpretation: I too am here to learn, and help if I can. ( Oh, another apology, I tend to be long winded, but especially so when Iím drunk! )

    Since my answers were hidden in that novel I wrote:
    1) yes
    2) no
    3) N/A
    4) you have stopped them already, trying to track them down and stop them would be a futile endeavor.

    Again, my intent was that if you knew what they are ( attempts to communicate to those ports ) it would answer your question. ( Most people would think that it is in fact NETBIOS because that is what the firewall says. It is in fact an attempt to communicate on a registered port which the firewall knows is a NETBIOS port. Thus it tells you it is NETBIOS. It may be, as I said, someone connected on the same subnet unknowingly broadcasting netbios requests, or it could be a trojan or worm, etc. looking for vulnerable boxes. )

    There are numerous ports which you absolutely do not want to leave exposed to the Internet, NETBIOS being one ( actually, some ) of them. But Zone alarm will do a pretty good job, I will get back to that.

    You also asked about a router. I asked about the connection because routers are now common-place for cable or DSL ( some DSL modems even include a router built in ) but I do not know of any made for dial-up, though Iím sure they exist somewhere. ( Though I could build one with an old computer and Linux ). Again, as I said, it adds another layer of security. The outside world ( the Internet ) would see the router. Depending on the configuration of the rules ( most now come with some type of firewall built in ) and how it NATed the connections, your computer may not be seen or accessible at all from outside.
    1st layer, router
    2nd layer, routerís internal firewall
    3rd layer, computer firewall
    4th layer, computer configuration
    5th layer, up-to-date antivirus software
    6th layer, up-to-date patching of computer software
    7th layer, user knowledge AND correct usage of that knowledge ( how many people who new not to click on that e-mail attachment did so anyway, FUBARed their computer and infected their entire network? ! )

    Ok, I was sober when I started having just returned from work, but now I am sorry, I apologize again, it is turning out to be long, but if you learn anything here my time will be well spent.


    This list may not be accurate, it is off the top of my head, and some may say #5 and #6 should be reversed, but you get the idea. To help you out with #4 ( computer configuration ) you could search through all the Microsoft sites, etc., but you may want to stop at Black Viper first.

    Getting back to Zone Alarm You mentioned the logs, but did not say if it was just the logs or you are constantly receiving pop-ups notifying you of attempts. Once you are satisfied it is working the way you want you can set ( under ď alerts & logs, main tab ) not to display ď informational alerts ď. If you have not done so already I would suggest it.

    Lets see, I think two more areas to cover ( not complaining, just reminding you I am still indulging in the consumption of the spirits, definitely needed as it was my first day back to work after vacation )

    ď ICMP (type8... ď or ďEchoĒ requests ( see ICMP TYPE NUMBERS ). These are common and can vary in intensity during proliferation of certain worms ( MSBLAST, Nachi as example ). Let the firewall block them.

    Last:
    I've got to get a head start on my two daughters 5&7 before they get smarter than the old man !!!

    SOAP BOX TIME:
    Believe me, you are delusional ... they are already smarter but just donít know as much about computers. That will change in a blink-of-an-eye!

    My best advise here, TIFWIWFWIC, ( oh, donít know if that one is recognizable: take it for what isís worth from wench it came ): include them in what you do. Put the computer in a common place. Do not let them use it unsupervised . I have to say that again for emphasis: Do not let them use it unsupervised .
    Just as you would ( should ) read them a book every night, you should spend time with them visiting sites appropriate for their age group, running educational software to help them learn, etc. They see you using the computer and they will be interested in it. They will enjoy your participation ( until they are teens, another story entirely ). Do not discourage them, the skills and knowledge of computers has even now almost become a mandate in society. But be mindful there are aspects of the ď Information Age ď which could poison the young mind ( Is that not poignantly accurate gore ? )

    Hope this time it helped.

    Basically, if everyone cared about these things as much as you seem to you wouldnít see the problems you see in your logs ( did you read the link I supplied above from SANS ? ). And WELCOME TO A.O. !!! ( forgot to say that before )
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hello, I Know Not !!1

    No need to apologise for anything my friend. I've been suffering from an extreme lack of sleep lately so my responses probably reflect that.
    I went out and bought a cheap used computer about 6 mths ago, upgraded it and spent the first 3 mths trying to figure it out...when I went on the net I almost immediately started to look for these kinds of forums to learn more. It's a little odd for me because most of the experts on these forums are younger than my son (24) and in some cases as young as 14 ( can you imagine being 17 in grade 12 and on the first day of school you discover when you go to math class your teacher is eight years old )...so I'm kinda out of my element in more ways than one.


    Yes I have gone to Black Viper but he doesn't accept e-mails anymore but I did print off the 45 page configuration list he had...and I do need to correct a couple of things but my problem is I don't know how to change the settings. And I notice I have some items that are not even on his list.

    I just upgraded Zone Alarm and I do have information pop-ups on "not to display"...of the now 3288 attempted intrusions about 99% of them have been the TCP (flags:s) type and most of the rest UPD with only a few ICMP.

    Yeh...you're probably right about being delusional ...it amazes me how smart the kids on these forums are and how young some are...when I was fourteen it definitely was a different world.

    Thanks for the welcome!!!

    I don't know if this means anything or not but I've been checking my system information out piece by piece to see if anything looks out of place...in Components-network-protocol there are three items listed: 2 listed as MSAFD Tcpip [ TCP/IP ]
    2 listed as RSUP UPD Service Provider
    10 listed as MSAFD NETBIOS [ \Device\NetBT_T...
    could these have anything to do with the problem?
    I've also downloaded Tcpveiw and netstatp but haven't uploaded them yet because I don't know if I need them or if they're compatable with my system.

    The more I learn now the quicker I'll be able to start answering questions as well as asking them. Most of the questions I'll ask here will be security or internet related...but I do like to ask alot of questions.


    Thanks !!!

  10. #10
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Iím too tired tonight to even get drunk, so Iíll be brief.

    I don't know if this means anything or not but I've been checking my system information out piece by piece to see if anything looks out of place...in Components-network-protocol there are three items listed:
    I know I am not the one to help describe these but they are normal, part of Winsock2, and needed.

    could these have anything to do with the problem?
    Iím not clear here on what the problem is, the listings on the firewall? Most of what you described so far seems normal. The firewall is doing itís job.

    I've also downloaded Tcpveiw and netstatp but haven't uploaded them yet because I don't know if I need them or if they're compatable with my system.
    You mean you havenít installed them yet ( weíre both tired ). If I were you I would start with Tcpview until you understand it completely. It is compatible with Win2k ( Microsoft Windows 2000 Pro ). Just make sure you downloaded it from a reliable source.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •