CXGJarrod,
Well spotted sir, I meant AdAware from lavasoft :)
sorry for any confusion in the thread
cheers
Printable View
CXGJarrod,
Well spotted sir, I meant AdAware from lavasoft :)
sorry for any confusion in the thread
cheers
A couple of things:
1) Windows XP/Windows 2000 will try to do netbios name resolution if DNS fails to obtain an address (I have especially seen this happen when webtrends is run against web server logs). Udp/137 is netbios name resolution. If I had to guess, some program is requesting a name and DNS doesn't resolve it so it is trying netbios. Unfortunately, there is no real way to turn off this 'feature' without gutting windows networking entirely (which may or may not be an option, if so, it is easy to do).
2) Now, as to what program is trying to issue the commands. I suggest using something like Foundstone's FPORT. This will tell you what program is trying to access those ports (and something like ZoneAlarm or Agnitum Outpost will do the same). Possibilities: legit software, spyware, trojans, or worms. There are several recent worms that attempt to spread via netbios sessions and could easily generate the type of traffic you are seeing.
So...
1) Make sure you are running AV, that it is up to date, and that you have scanned every file/process.
2) Install Spybot and LavaSoft's AdAware. They are both free for personal use and will eliminate spyware (and spybot can actually prevent some of it).
3) Make sure you have a good personal firewall. I personally prefer Agnitum Outpost, but its learning curve is a good bit higher than Zonelab's ZoneAlarm. Both basic versions are free and will do a good job of not only protecting you of outside in, but your connections out.
Hope that helps,
/nebulus
EDIT: You also may want to be a bit more judicious with your ISP information. You never really know who is looking at that info.
What nebulus is saying makes a lot of sense,,,If DNS doesnt resolve, windows trys to so with netbios,,You can easily verify this , by sniffing LAN and letting request go out...
"EDIT: You also may want to be a bit more judicious with your ISP information. You never really know who is looking at that info."
I'll look into that as well. The only thing is, I'm sure I'm not doing name look ups on these ips. I can see the company maybe, but the other ones? One looked an awful lot like a dial-up.
As for submitting info, I feel like I do a decent job of not giving out too much data on my environment, what did I say that prompted that nebulus? If I said something I shouldn't have I want to add it to that list in my head (along with the admin passwords of our firewall, router, servers, etc). :)
Oh yeah.
I'll try FPORT. Good idea there. I've already tried adaware but I am pretty anal about what I put on my machines.
I'll try zone alarm, but as I mentioned this lan is already behind a hardware firewall. AV updates are served by our server, and are updated nightly. So norton/symantec is up-to-date.
I really think it's probably this:
"1) Windows XP/Windows 2000 will try to do netbios name resolution if DNS fails to obtain an address (I have especially seen this happen when webtrends is run against web server logs). Udp/137 is netbios name resolution. If I had to guess, some program is requesting a name and DNS doesn't resolve it so it is trying netbios. Unfortunately, there is no real way to turn off this 'feature' without gutting windows networking entirely (which may or may not be an option, if so, it is easy to do). "
But, with XP, you can pretty easily turn off netbois, and I just discovered that I had left it on default, which reads from our wins settings (which we dont have here) so I'd imagine that it's probably enabled. I'll try turning that off and test as well.
Thanks for the suggestions guys. I appreciate it.
The specific thing I was referring to was the traceroute. It really didn't apply to the situation you were trying to address and, unless altered, would help narrow down a search of your network to someone that could have less than noble intentions (Ie, give them a target).Quote:
As for submitting info, I feel like I do a decent job of not giving out too much data on my environment, what did I say that prompted that nebulus? If I said something I shouldn't have I want to add it to that list in my head (along with the admin passwords of our firewall, router, servers, etc).
Unless you have some verbose packet captures or some kind of an IDS that is watching traffic it would be very difficult for me to determine what is going on, which is why I suggested those 3 things (ie, the traffic could be a reply to an incoming packet (UDP is sessionless so it is possible your firewall would misreport it), but it is not easy to tell without those captures). Please have a looksee at them and let us know if you turn up anything else, I would be curious to know what you find (Im leaning towards you have a worm that monkies with AV (like hllw.netbiwo) or spyware).
/nebulus
Oh sure, thats why I only showed you the last 2 hops on the tracings. Although I probably should have masked a couple octets just to be safe I suppose. I've disabled netbios over tcp/ip in xp, we'll see what happens. I've tried 3 different virus scanners (2 online scanners and nav) nothing shows up. Adaware doesnt spot anything either. I recall someone mentioned a second spy bot killer, I'll try that and also install zone alarm (the only personal firewall I have actually used, except black ice defender, which I think didn't do much).
I'll post an update soon...