Results 1 to 12 of 12

Thread: Security

  1. #1
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Security

    Below from Zone Alarm Pro. I get a good number of these hits regularly.

    What I don't understand is if my computer is supposedly operating in "stealth mode" and incoming/outgoing NetBios ports 135, 137-139, 445 in the Internet Zone are blocked, WHY is my machine STILL trying to make a connection (that ZA blocks) to some scanner dweeb in China? There aren't any trojans/viruses, etc. loose on my system and no unknown programs running that seem capable of doing this.

    JW

    -----------------------------------------------------------------
    What happened?
    Your computer has attempted to use NetBIOS port 137 to connect to another computer, located at address 61.183.244.23.

    Should I be concerned?
    No. 61.183.244.23 should be an address on your local network. One possible explanation for the alert is your computer is attempting to renew an IP address from a DHCP server. Both DHCP and NetBIOS are common on most local area networks using Windows platform domains. The address could also belong to a DNS server or another LAN-specific server.

    What should I do?
    If 61.183.244.23 is an address on your LAN, you should add your Local Area Network to your Local Zone. When security is set to Medium (the default in the Local Zone), ZoneAlarm Pro allows NetBIOS communications to pass through the firewall. High security denies NetBIOS communications. To avoid seeing this type of alert in the future, please refer to the ZoneAlarm Pro help files for instructions on adding hosts and IP addresses to the Local Zone. If 61.183.244.23 is not on your local network, then perform an updated anti-virus sweep of your computer.

    Whois Report from Zone Labs

    Whois information for IP address 61.183.244.23

    NETWORK: 61.183.244.23 [131072]
    inetnum: 61.183.0.0 - 61.184.255.255
    netname: CHINANET-HB
    descr: CHINANET Hubei province network
    descr: Data Communication Division
    descr: China Telecom
    country: CN
    admin-c: CH93-AP
    tech-c: YZ83-AP
    mnt-by: MAINT-CHINANET
    mnt-lower: MAINT-CN-CHINANET-HB
    changed: weitj@cndata.com 20001210
    status: ALLOCATED PORTABLE
    source: APNIC

  2. #2
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Security

    Yeah, that seems to be everyone's first guess - and it is wrong. I have checked my system extensively and am confident that there aren't any exposures.

    However, if incoming is really blocked, how would some component of Netbios know the address to reply to? Maybe ZA is letting some traffic through? Hmmm...

  3. #3
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Calgary, Alberta, Canada
    Posts
    283
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security

    My instinctive reaction is that you might have a backdoor. Are you antivirus definitions up to date? Done a scan? Try an online scanner like Trend Micro's HouseCall to be sure. Other than that, have you checked your running apps/processes to see whether some utility you've installed is getting updates or otherwise making a connection to a server out there?

  4. #4
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Calgary, Alberta, Canada
    Posts
    283
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security

    You say you've checked your system thoroughly for exposures, so does that mean you've gone through your running processes in Task Manager and determined what each of them do? Now that you're sure it's not a backdoor/trojan/virus/whatever, that would be the next logical step.

  5. #5
    Star Lounger
    Join Date
    Apr 2002
    Posts
    78
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Security

    Just reading the alert on the surface, this is not an external attempt to get into your system -- it's something already in that's trying to connect out. BTW, if your ZA's Internet Zone security is not set to High, you're not in stealth mode (don't know if you needed that, but it's free. :-) )

    If something inside is trying to connect externally without your knowledge or permission, I wouldn't know what else to call it but a backdoor/trojan/virus/whatever. Know what I mean?

    AFAIK, there's nothing built into Windows which would automatically use port 137 to connect to some Chinese server.

    Charlie T.

  6. #6
    4 Star Lounger pccoyle's Avatar
    Join Date
    Apr 2001
    Location
    Auckland, Auckland, New Zealand
    Posts
    535
    Thanks
    3
    Thanked 2 Times in 2 Posts

    Re: Security

    Check your Task Manager for running processes. There is a site on the web which lists all std processes so you can check your tasks and this.
    Possibly there is an app looking to go out for an update, so check for update files.
    Install Add aware, as it may be sourced form a cookie.
    HTH <img src=/S/sigh.gif border=0 alt=sigh width=15 height=15> <img src=/S/flags/NewZealand.gif border=0 alt=NewZealand width=30 height=18>
    Paul Coyle
    Approach love and cooking with reckless abandon

  7. #7
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Security

    I've run ad-aware, Pest Patrol, have NAV up-to-date. I know what everything running in my system is. I get these hits regularly from all over the world (China, Korea, Latin America, etc.).

    So I used a TCP port monitor to see what is active. I see that the following ports allocated to NETBIOS are active and listening. But these ports are blocked through ZA, so no inbound or outbound traffic is passed through regardless.

    Port Process Protocol
    139 System:8 UDP computername:netbios-ssn
    138 System:8 UDP computername:138
    137 System:8 UDP computername:netbios-NS

    I have tried to completely disable netbios via turning off services since I don't have a network and no need for netbios. Clearly, there are some non-obvious Windows processes still listening to netbios.

    What is the System:8 process above?

    Do any of you have firewalls? Have you ever looked at a detailed log of the activity? I suspect that you will find similar hits if you look closely.

  8. #8
    4 Star Lounger pccoyle's Avatar
    Join Date
    Apr 2001
    Location
    Auckland, Auckland, New Zealand
    Posts
    535
    Thanks
    3
    Thanked 2 Times in 2 Posts

    Re: Security

    Hi, I did a search on 139 System:8 and 137 System:8, and Google came up with he same link. I don't know how useful it will be <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>
    http://www.google.co.nz/search?hl=en&ie=IS...G=Google+Search <img src=/S/flags/NewZealand.gif border=0 alt=NewZealand width=30 height=18>
    Paul Coyle
    Approach love and cooking with reckless abandon

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Security

    Does ZA tell you what program generated the packet, or show you the contents? If not, you could try a packet sniffer.

  10. #10
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Security

    No, this is one of the weaknesses of ZA, not making the actual actual contents available. All they show is that a packet was blocked through X port. Using a TCP monitor, I'm able to see what process has the port hooked. But that doesn't tell me anything. I may have to go in the direction of a packet sniffer to get to the bottom of this.

    Right now, I am trying to get a usable response from ZA Support. They keep beating around the question by sending me canned response that they simply paste into a reply message. To reiterate, IF ZA is actually blocking incoming attempts to communicate to a port (137 in this case), then there should never be anything outgoing on port 137. If there is outgoing attempts (which ZA also says it is blocking), then either ZA isn't working or there really is a trojan trying to do an outbound connects on my system (and I don't think there is).

    If anyone else has ZA out there, take a close look at your log activity and see if you can explain/understand everything that is happening.

  11. #11
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Security

    Here's a hypothetical outbound-only, non-trojan scenario: you mapped a drive to a share, and the share got associated with the IP address in an LMHOSTS file or equivalent. Every time you open Word, it reaches out and touches your mapped drives (for some reason, Word spins up the external floppy on my laptop).

    It's hard to picture any other scenarios where Windows would want to make a NetBIOS connection. If you specifically block that range of IP addresses, does ZA report Windows trying to make other kinds of connections out there?

  12. #12
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Security

    Some new information today. I was looking in detail at the incoming/outgoing pairs and noticed that there were 2 different source IP's referred to on my machine. That didn't seem right since I only have one net connection. Further digging showed that I have a program called VMWare on my system. VMWare allows you to run OS instances under the running copy of the OS. I had done some beta testing for them and after they released the final version, I installed it but haven't been using it. VMWare runs a number of services (about 6) that are used to enable networking pass through between the virtual machine and the master OS.

    While ZAP was blocking the incoming attempt to connect through port 137 by a scanner, VMWare was also apparently receiving a copy of the INCOMING request to connect and was trying to reply on its IP address that it has allocated. ZAP blocked this also but I only saw it as an OUTGOING response to the incoming attempt, not noticing the different IP's. I fussed around with VMWare, but wasn't able to disable the network its network services. So I uninstalled it. That resolved/explained the issue at hand. I'll have to get in contact with VMWare support to get more detail on this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •