UDP port 137 requests outbound , need help!

tarun.pahuja · ‎12-02-2003

Folks,

My pix log shows that my workstation is sending requests on port 137(UDP) outbound to unresolved ip addresses. I am running sophos anit virus and ran it multiple times, what anti-trojan horse program i should try? what might be causing this? also, the same ip address my workstation is sending 137 requests to is trying to ping outside interface of my pix, how could they know my ip address?

here is the log:

outside:12.29.13.149 (unresolved) dst inside:12.26.44.131 (unresolved) (type 8, code 0) by access-group "0"

2003-12-02 15:25:54 Local4.Warning 10.1.1.254 %PIX-4-106023: Deny icmp src outside:12.29.13.149 (unresolved) dst inside:12.26.44.132 (unresolved) (type 8, code 0) by access-group "0"

2003-12-02 15:25:56 Local4.Warning 10.1.1.254 %PIX-4-106023: Deny udp src inside:10.1.1.100 (DSMITH) /137 dst outside:12.29.13.149 (unresolved) /137 by access-group "100"

2003-12-02 15:25:57 Local4.Warning 10.1.1.254 %PIX-4-106023: Deny udp src inside:10.1.1.100 (DSMITH) /137 dst outside:12.29.13.149 (unresolved) /137 by access-group "100"

scothrel · ‎12-02-2003

Could be any number of things. A quick few:

You browsed to a trojan website that is causing your system to try and establish a netbios connection with said IP address.

Someone poisoned (or otherwise corrupted) your DNS or WINS server and its now resolving a name to an incorrect address and a netbios connection that you normally use is now corrupted.

You have a virus/worm/trojan application running.

Someone ran "nbtstat".

I'm sure there are endless possibilties. You've run an anti-virus, how about an anti-spyware? Does the behavior survive reboot (I'm assuming a Windows Box here, since 137 is Netbios name service). If so, I'd check out everything in the "Run" registry key.

The good point is that your PIX is doing what its supposed to and blocking outbound (as well as inbound I hope) Windows ports at the network edge.

Sorry, its just too much of a wide-open field to find the specific cause via this medium.

Scott Cothrell

mcerha · ‎12-02-2003

The remote "attacker" would get your PIX's external IP address because you appear to be using NAT. I can't explain why the remote system is attempting to ping you or the outbound port 137 traffic. Are you seeing any IDS alarms corresponding to this behavior? If you have an IDS monitoring this traffic, I'd start there. This would help diagnose the problem most quickly as you can capture traffic samples for analysis. Lastly, please double check that your anti-virus signatures are up to date.

suyashjain · ‎12-13-2003

Hi,

Is this workstation Win2000.If yes then ofter this is DLLHOST.exe file , which has been corrupted.You can also install zonealrm utility,it will show the exact thing.Zone alarm personal edition can be downloaded from zonealarm.com.I had the same problem with one of my customer.I used zonealarm,it shown the application which is doing this.You can even stop this virus.Hope you will get result.If still same , contact me at sjain@deldsl.com.I have many solutions for this.