odd firewall log entry

Hi!

I was watching my firewall transactions in real time, and noticed my machine, which is a newly built dell box with xp, all updates and patches, running up-to-date norton virus scan corporate edition.

What is worrying me is this entry:

Connected to: 217.106.234.173 (traceroute shows the last named to hop to be: msk-dsr7-ge0-0-0-22.rt-comm.ru [217.106.6.66])
Port: 137
Direction: Out
Connection: Denied
Connection Details: UDP

So, uh. I've run a couple trojan scans. They turn up empty. The chances of me being haxored are fairly slim. I'm on a firewalled network, the machine is about a week and a half old. I've installed kiwi syslogger, which runs as a service. Install is pretty vanilla other than that. Yahoo Messenger running through the HTTP port, Watchguard firewall monitoring software, virus scanner, office 2k.

Anyone have any ideas? Im looking through our logs now for other suspicious activity....

Ok, watching my machine shows these as well, both to port 137 udp, which the firewall is blocking:

19 41 ms 40 ms 40 ms rback2-fa2-1.austtx.swbell.net [151.164.20.43]
20 810 ms 850 ms 553 ms 64.217.72.178

11 25 ms 25 ms 25 ms gige7-1.ipcolo1.NewYork1.Level3.net [64.159.17.99]
12 25 ms 26 ms 25 ms 67.72.16.92


No other hosts seem to be doing this but mine.

That Ip address belongs to G-Lock software..visit their website and see for yourself..
I scanned that IP for you and ports 21,25 80 and few others are opened...

Http to Ip and see.. I dont know why that IP appeared..seems like legitimate company.????
Are you sure you dont have a software package you've downloaded from their website in the past,,and the software is performing some type of update...

Ok, this is getting stranger then. I have a shortcut in My Favorites to their website (specifically http://www.glocksoft.com/aatools.htm) in my IE. I have none of their software installed, but I was evaluating the feature set of their products and had made a shortcut to go back to it when I had time.

What strikes me as really strange is port 137?! Is this a stupid windows/ie thing? I've never heard of anything like this. I have offline files and folders disabled, so it can't be trying to synch.

The short cut is common with some websites..once you visit a particular web site they automatically add themselves to your favorites list...from what I know 137 UDP is netbios names services...not a 100% sure..was it by the way TCP or UDP?

also, when your firewall notifies you of incident, does it give you name of process/application ..If so go to your registry, search for it and remove it..and also check for it in your processes list..

I'm not getting any listing of application no. I might dl/install a personal firewall like zone alarm or whatnot and see what it says. All the packets so far are UDP, and now its up to 3 IPs its doing this too.

One doesnt resolve, and one is for some 'networking' company and the page says they are currently offline.

I am probably being paranoid (as usual) but hits on 135, 137, and139 make me twitchy. A lot of crap and networms scan for these ports?


Have you tried Spybot Search & Destroy and ZoneAlarm 6.0..........your idea with the firewall is also good.

You might also like to try SamSpade 1.14 as an analysis tool (please read the instructions/disclaimer :) )

Cheers

Yea Im not sure whats happening to you,,,Yu will have to do a bit of investigating

For starters Go to grc.com and use "shields up" to scan your computer ...Scan it with your firewall turned off...

You might wanna also scan your PC for viruses by another source other than what you have ,,
go to www.commandondemand.com for free scan.

Good Luck

I'm behind a corporate network, I'll see if I can wire myself into the DMZ for a shields up test though, good idea.

I'll try the other vscan too thanks, I just had another IP roll through the log, I'm thinking I might just fdisk and start over.

if you do fdisk, fdisk the master boot record as well
fdisk /mbr (to be on safe side)

Quote:

---

Originally posted here by nihil
I am probably being paranoid (as usual) but hits on 135, 137, and139 make me twitchy. A lot of crap and networms scan for these ports?


Have you tried Spybot Search & Destroy and ZoneAlarm 6.0..........your idea with the firewall is also good.

You might also like to try SamSpade 1.14 as an analysis tool (please read the instructions/disclaimer :) )

Cheers

---

ZoneAlarm is at version 4.0 ;)

http://www.zonelabs.com/store/applic...og_view_id=201

CXGJarrod,

Well spotted sir, I meant AdAware from lavasoft :)

sorry for any confusion in the thread

cheers

A couple of things:

1) Windows XP/Windows 2000 will try to do netbios name resolution if DNS fails to obtain an address (I have especially seen this happen when webtrends is run against web server logs). Udp/137 is netbios name resolution. If I had to guess, some program is requesting a name and DNS doesn't resolve it so it is trying netbios. Unfortunately, there is no real way to turn off this 'feature' without gutting windows networking entirely (which may or may not be an option, if so, it is easy to do).

2) Now, as to what program is trying to issue the commands. I suggest using something like Foundstone's FPORT. This will tell you what program is trying to access those ports (and something like ZoneAlarm or Agnitum Outpost will do the same). Possibilities: legit software, spyware, trojans, or worms. There are several recent worms that attempt to spread via netbios sessions and could easily generate the type of traffic you are seeing.

So...

1) Make sure you are running AV, that it is up to date, and that you have scanned every file/process.

2) Install Spybot and LavaSoft's AdAware. They are both free for personal use and will eliminate spyware (and spybot can actually prevent some of it).

3) Make sure you have a good personal firewall. I personally prefer Agnitum Outpost, but its learning curve is a good bit higher than Zonelab's ZoneAlarm. Both basic versions are free and will do a good job of not only protecting you of outside in, but your connections out.

Hope that helps,

/nebulus

EDIT: You also may want to be a bit more judicious with your ISP information. You never really know who is looking at that info.

What nebulus is saying makes a lot of sense,,,If DNS doesnt resolve, windows trys to so with netbios,,You can easily verify this , by sniffing LAN and letting request go out...

"EDIT: You also may want to be a bit more judicious with your ISP information. You never really know who is looking at that info."

I'll look into that as well. The only thing is, I'm sure I'm not doing name look ups on these ips. I can see the company maybe, but the other ones? One looked an awful lot like a dial-up.

As for submitting info, I feel like I do a decent job of not giving out too much data on my environment, what did I say that prompted that nebulus? If I said something I shouldn't have I want to add it to that list in my head (along with the admin passwords of our firewall, router, servers, etc). :)

Oh yeah.

I'll try FPORT. Good idea there. I've already tried adaware but I am pretty anal about what I put on my machines.

I'll try zone alarm, but as I mentioned this lan is already behind a hardware firewall. AV updates are served by our server, and are updated nightly. So norton/symantec is up-to-date.

I really think it's probably this:

"1) Windows XP/Windows 2000 will try to do netbios name resolution if DNS fails to obtain an address (I have especially seen this happen when webtrends is run against web server logs). Udp/137 is netbios name resolution. If I had to guess, some program is requesting a name and DNS doesn't resolve it so it is trying netbios. Unfortunately, there is no real way to turn off this 'feature' without gutting windows networking entirely (which may or may not be an option, if so, it is easy to do). "

But, with XP, you can pretty easily turn off netbois, and I just discovered that I had left it on default, which reads from our wins settings (which we dont have here) so I'd imagine that it's probably enabled. I'll try turning that off and test as well.

Thanks for the suggestions guys. I appreciate it.

Quote:

---

As for submitting info, I feel like I do a decent job of not giving out too much data on my environment, what did I say that prompted that nebulus? If I said something I shouldn't have I want to add it to that list in my head (along with the admin passwords of our firewall, router, servers, etc).

---

The specific thing I was referring to was the traceroute. It really didn't apply to the situation you were trying to address and, unless altered, would help narrow down a search of your network to someone that could have less than noble intentions (Ie, give them a target).

Unless you have some verbose packet captures or some kind of an IDS that is watching traffic it would be very difficult for me to determine what is going on, which is why I suggested those 3 things (ie, the traffic could be a reply to an incoming packet (UDP is sessionless so it is possible your firewall would misreport it), but it is not easy to tell without those captures). Please have a looksee at them and let us know if you turn up anything else, I would be curious to know what you find (Im leaning towards you have a worm that monkies with AV (like hllw.netbiwo) or spyware).

/nebulus

Oh sure, thats why I only showed you the last 2 hops on the tracings. Although I probably should have masked a couple octets just to be safe I suppose. I've disabled netbios over tcp/ip in xp, we'll see what happens. I've tried 3 different virus scanners (2 online scanners and nav) nothing shows up. Adaware doesnt spot anything either. I recall someone mentioned a second spy bot killer, I'll try that and also install zone alarm (the only personal firewall I have actually used, except black ice defender, which I think didn't do much).

I'll post an update soon...