Security

Topic

New Reply

Below from Zone Alarm Pro. I get a good number of these hits regularly.

What I don’t understand is if my computer is supposedly operating in “stealth mode” and incoming/outgoing NetBios ports 135, 137-139, 445 in the Internet Zone are blocked, WHY is my machine STILL trying to make a connection (that ZA blocks) to some scanner dweeb in China? There aren’t any trojans/viruses, etc. loose on my system and no unknown programs running that seem capable of doing this.

JW

—————————————————————–
What happened?
Your computer has attempted to use NetBIOS port 137 to connect to another computer, located at address 61.183.244.23.

Should I be concerned?
No. 61.183.244.23 should be an address on your local network. One possible explanation for the alert is your computer is attempting to renew an IP address from a DHCP server. Both DHCP and NetBIOS are common on most local area networks using Windows platform domains. The address could also belong to a DNS server or another LAN-specific server.

What should I do?
If 61.183.244.23 is an address on your LAN, you should add your Local Area Network to your Local Zone. When security is set to Medium (the default in the Local Zone), ZoneAlarm Pro allows NetBIOS communications to pass through the firewall. High security denies NetBIOS communications. To avoid seeing this type of alert in the future, please refer to the ZoneAlarm Pro help files for instructions on adding hosts and IP addresses to the Local Zone. If 61.183.244.23 is not on your local network, then perform an updated anti-virus sweep of your computer.

Whois Report from Zone Labs

Whois information for IP address 61.183.244.23

NETWORK: 61.183.244.23 [131072]
inetnum: 61.183.0.0 – 61.184.255.255
netname: CHINANET-HB
descr: CHINANET Hubei province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: YZ83-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CN-CHINANET-HB
changed: weitj@cndata.com 20001210
status: ALLOCATED PORTABLE
source: APNIC

Reply | Quote

Replies

My instinctive reaction is that you might have a backdoor. Are you antivirus definitions up to date? Done a scan? Try an online scanner like Trend Micro’s HouseCall to be sure. Other than that, have you checked your running apps/processes to see whether some utility you’ve installed is getting updates or otherwise making a connection to a server out there?

Reply | Quote

Yeah, that seems to be everyone’s first guess – and it is wrong. I have checked my system extensively and am confident that there aren’t any exposures.

However, if incoming is really blocked, how would some component of Netbios know the address to reply to? Maybe ZA is letting some traffic through? Hmmm…

Reply | Quote

You say you’ve checked your system thoroughly for exposures, so does that mean you’ve gone through your running processes in Task Manager and determined what each of them do? Now that you’re sure it’s not a backdoor/trojan/virus/whatever, that would be the next logical step.

Reply | Quote

Just reading the alert on the surface, this is not an external attempt to get into your system — it’s something already in that’s trying to connect out. BTW, if your ZA’s Internet Zone security is not set to High, you’re not in stealth mode (don’t know if you needed that, but it’s free. 🙂 )

If something inside is trying to connect externally without your knowledge or permission, I wouldn’t know what else to call it but a backdoor/trojan/virus/whatever. Know what I mean?

AFAIK, there’s nothing built into Windows which would automatically use port 137 to connect to some Chinese server.

Charlie T.

Reply | Quote

Check your Task Manager for running processes. There is a site on the web which lists all std processes so you can check your tasks and this.
Possibly there is an app looking to go out for an update, so check for update files.
Install Add aware, as it may be sourced form a cookie.
HTH

Reply | Quote

I’ve run ad-aware, Pest Patrol, have NAV up-to-date. I know what everything running in my system is. I get these hits regularly from all over the world (China, Korea, Latin America, etc.).

So I used a TCP port monitor to see what is active. I see that the following ports allocated to NETBIOS are active and listening. But these ports are blocked through ZA, so no inbound or outbound traffic is passed through regardless.

Port Process Protocol
139 System:8 UDP computername:netbios-ssn
138 System:8 UDP computername:138
137 System:8 UDP computername:netbios-NS

I have tried to completely disable netbios via turning off services since I don’t have a network and no need for netbios. Clearly, there are some non-obvious Windows processes still listening to netbios.

What is the System:8 process above?

Do any of you have firewalls? Have you ever looked at a detailed log of the activity? I suspect that you will find similar hits if you look closely.

Reply | Quote

Hi, I did a search on 139 System:8 and 137 System:8, and Google came up with he same link. I don’t know how useful it will be
http://www.google.co.nz/search?hl=en&ie=IS…G=Google+Search%5B/url%5D

Reply | Quote

Does ZA tell you what program generated the packet, or show you the contents? If not, you could try a packet sniffer.

Reply | Quote

No, this is one of the weaknesses of ZA, not making the actual actual contents available. All they show is that a packet was blocked through X port. Using a TCP monitor, I’m able to see what process has the port hooked. But that doesn’t tell me anything. I may have to go in the direction of a packet sniffer to get to the bottom of this.

Right now, I am trying to get a usable response from ZA Support. They keep beating around the question by sending me canned response that they simply paste into a reply message. To reiterate, IF ZA is actually blocking incoming attempts to communicate to a port (137 in this case), then there should never be anything outgoing on port 137. If there is outgoing attempts (which ZA also says it is blocking), then either ZA isn’t working or there really is a trojan trying to do an outbound connects on my system (and I don’t think there is).

If anyone else has ZA out there, take a close look at your log activity and see if you can explain/understand everything that is happening.

Reply | Quote

Here’s a hypothetical outbound-only, non-trojan scenario: you mapped a drive to a share, and the share got associated with the IP address in an LMHOSTS file or equivalent. Every time you open Word, it reaches out and touches your mapped drives (for some reason, Word spins up the external floppy on my laptop).

It’s hard to picture any other scenarios where Windows would want to make a NetBIOS connection. If you specifically block that range of IP addresses, does ZA report Windows trying to make other kinds of connections out there?

Reply | Quote

Some new information today. I was looking in detail at the incoming/outgoing pairs and noticed that there were 2 different source IP’s referred to on my machine. That didn’t seem right since I only have one net connection. Further digging showed that I have a program called VMWare on my system. VMWare allows you to run OS instances under the running copy of the OS. I had done some beta testing for them and after they released the final version, I installed it but haven’t been using it. VMWare runs a number of services (about 6) that are used to enable networking pass through between the virtual machine and the master OS.

While ZAP was blocking the incoming attempt to connect through port 137 by a scanner, VMWare was also apparently receiving a copy of the INCOMING request to connect and was trying to reply on its IP address that it has allocated. ZAP blocked this also but I only saw it as an OUTGOING response to the incoming attempt, not noticing the different IP’s. I fussed around with VMWare, but wasn’t able to disable the network its network services. So I uninstalled it. That resolved/explained the issue at hand. I’ll have to get in contact with VMWare support to get more detail on this.

Reply | Quote