Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Miles!

Thanks for the info ... I did try a few of these already ... please see
embedded comments.

----- Original Message -----
From: "Miles Li [MSFT]" <v-mileli@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Sent: Tuesday, October 14, 2008 6:08 AM
Subject: RE: WORM? ... server generating NBT-NS (port 137) traffic on WAN
interface


Hello,

Thank you for posting here.

According to your description, I understand that:

You have a concern about the outbound port 137 traffic in the SBS domain.

If I have misunderstood the problem, please don't hesitate to let me know.

Suggestions:
========================
The UDP 137 is related to the NetBIOS Over TCP/IP name service. Please try
to verify the source program that use this port with the following steps:

1. On the SBS server command prompt, type "netstat -anob"

*** I did try using "netstat -bnop udp 3" earlier ... it does not show
anything at all at the same time as NETMON is capturing the unwanted packets
leaving the WAN NIC.

I did run NETMON on the SBS2003 box, it did find the extraneous packets ...
they are all UDP packets
I orginally noticed these packets in the log of the external router ... ran
a packet capture tool on that interface first, it showed only UDP - port 137
extraneous packets
It seems as if what ever program is sending these packets, it is not using
the API that Netstat monitors

Do you know of any other Software diagnostic tools or aids that will work
with the production version of SBS2003 R1 ??? .... this almost seems like I
would need to use a checked build version and/or some IDE or ICE tools to
discover what is going on ... I don't think I can use this approach on a
production system though.

Is there another Software diagnostic tool that you know of that I can use
for something like instruction trace logging ... and do you know the module
names of the modules that actually control the NIC ... I think the
misbehaving program is not using the normal API to send packets, but
probably does have to use the Device Driver at least.


The -b parameter will help to display the executable involved in creating
each connection or listening port.

2. Find out the program that use the UDP 137. If it is the [System],
please
try to check whether the netbios over TCP/IP is disabled on the NIC that
is
connected to the Internet (If the SBS server is the 2 NICs scenario).

*** Netbios over TCP/IP on the WAN NIC is disabled ... but not on either of
the two LAN NICs


a) Click Start, point to Settings, and then click Network and Dial-up
Connection.
b) Right-click Local Area Connection, and then click Properties.
c) Click Internet Protocol (TCP/IP), and then click Properties.
d) Click Advanced.
e) Click the WINS tab, and then click Disable NetBIOS over TCP/IP.

204279 Direct hosting of SMB over TCP/IP
http://support.microsoft.com/kb/204279

What Is Computer Browser Service?
http://technet.microsoft.com/en-us/library/cc787537.aspx

NetBIOS Over TCP/IP
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnb
c_imp_wcug.mspx?mfr=true

On the virus issue, I would also like to suggest that you call Microsoft
PC
Safety telephone number, 1-866-727-2338 (1-866-PCSAFETY). This service
offers no-charge assistance for virus-related issues or questions.

Also, you can check Microsoft Security and Privacy Web site at:

http://www.microsoft.com/security/.

This Web site offers various articles, updates, tips and tricks, and
resources to protect both home and business computers from virus infection
or attacks.

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center


.

Relevant Pages

  • Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
    ... You have a concern about the outbound port 137 traffic in the SBS domain. ... The UDP 137 is related to the NetBIOS Over TCP/IP name service. ... I did run NETMON on the SBS2003 box, it did find the extraneous packets ... ... connected to the Internet (If the SBS server is the 2 NICs scenario). ...
    (microsoft.public.windows.server.sbs)
  • Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
    ... server generating NBT-NS traffic on WAN ... The UDP 137 is related to the NetBIOS Over TCP/IP name service. ... I did run NETMON on the SBS2003 box, it did find the extraneous packets ... connected to the Internet (If the SBS server is the 2 NICs scenario). ...
    (microsoft.public.windows.server.sbs)
  • Re: [opensuse] SuseFirewall IPv4 vs IPv6
    ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    (SuSE)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: OT .. Road Warrior communications question
    ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    (alt.guitar.bass)