Something Trying To Use Udp Port 137
Posted 02 February 2005 - 05:06 AM
My firewall is logging one of the XP pro machines on the network as trying to creat an outbound connection via UDP port 137.
I know this is Netbios so i'm a bit concerned.
I've installed microsofts port report and port parser and logged traffic for a while.However I can't see this event in the port Report logs.
Now I find out that port report doesn't log traffic sent from a UDP port to another UDP port.
So, what to do?
Heres the log from my firewall:
02/02/2005 11:43:38.272 UDP packet dropped 192.168.1.1, 137, LAN 126.96.36.199, 137, WAN NetBios
I ran a whois on teh remote ip and it looks like its somethnig to do with the Internet Assigned Numbers Authority.
Still, seems strange.Are there any other tools I can use to easily find out whats trying to get out?
Thanks very much.
Posted 02 February 2005 - 05:10 AM
Copyright © 1998-2004 Mark Russinovich
Last Updated: August 9, 2004 v2.34
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
Posted 02 February 2005 - 06:05 AM
I also just found out about netstats -b switch.Thanks, again
Posted 02 February 2005 - 07:31 AM
TCPview lists the proccess behind the outbound udp packets as system:4
heres the log line from TCPview -
System:4 UDP 192.168.1.252:137 *:*
What the hell is system:4 ?
I've searched arround for it and found a few forum posts linking it to Netbios and the messenger service, but we have other xp machines with messenger enabled and they aren't behaving in this way.
Thanks again and again......
Posted 02 February 2005 - 07:37 AM
Do I need to actually catch this thing in the act?
I mean, once it's tried to connect then will the port close or stay open for a certain amount of time?
Posted 02 February 2005 - 07:48 AM
its realtime, so the app needs to be doing something on the net for it to show up in tcpview...
Posted 02 February 2005 - 07:56 AM
ok i'm going to do a :
netstat -o -p UDP 2
I'll log it and see what comes up.
Posted 02 February 2005 - 08:44 AM
I just saw one of these udp packets get dropped by the firewall.I checked the log from the netstat and theres nothing there!!!!1
Why is nothing logging these packets?
The closest I've got is TCPview showing that the port has been recently used.
please help, someone!
Posted 02 February 2005 - 09:03 AM
and the remote address seems to be your gateway.
machine is prolly misconfigured and tries to get some information from the remote host.
maybe nameservices or what ever.
the process that sends the packet for sure is system if tcpview says so.
to be more exact its a thread that runs as system context.
you should get a decent tasklister and take a look what threads are running (not processes)
I have not seen a port explorer that is able to map open ports and lan activity to threads.
only to processes, which seems to be not enough nowadays (running your code in the memory of another process, execute your thread as remote thread within another process ...)
problem with this is with regular port explorers you will never see what process really calls the activity you will only see what process opens the tcp/udp handle.
(same for dll injection, but its very easy to catch).
anyways this was just for information how difficult it can be to find out what program causes this.
especially concerning UDP
Posted 02 February 2005 - 09:11 AM
Also, could you reccommend a decent tasklister?
Posted 02 February 2005 - 02:02 PM
Posted 05 February 2005 - 06:01 PM
the system process is also responsible for a lot on net stuff as well as system stuff
firewalls for windows won't kill this either because they have been hardcoded not to, otherwise your network connections might get (filtered).
btw, if you wanna write a trojan, figure out how to take control of that port and send crap there because of this pusedo-flaw
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users