Curious about port 137/nbname

russiancat · June 16, 2012, 10:42pm

Hello

I’ve seen some strange outgoing connections to various ip’s on port 137 (aka nbname according to Comodo)

Here are the alerts for three of them:

The first IP is, according to ip-lookup.net, from Israel, with no additional information really.

Why would my computer attempt to connect to it?

Another one is 192.31.37.26
Information from ip-lookup:

OrgName: SAS Institute, Inc.

Why is “System” (what process is this?), trying to connect to some “leader in business analytics”?
http://sas.com

Any additional information would be helpful. Do I need to be worried? What are those connections?

EDIT:

While writing, it tried to connect to 188.50.127.130 in Saudi Arabia?!

role: Saudi Telecom Co. Registry Admin-C contact
address: King Fahad Road, Abraj Atta’awuneya(NCCI Building), South Tower, 4th floor, Saudi Net

info:

Thank you

Chrystz · June 18, 2012, 12:13pm

I am kinda having the same issue, so I guess I dont have to create a new thread
The same System tries to connect using port 137 using hte UDP protocol
and the source port being 175.168.2.8 and the destination port being 175.168.255.255
both the ips belong to china and I am from India.
Neither the source of the destination is my IP, what kinda transfer between 2 IPs from China is
going to use an IP at India???

Here is the firewall log :

Citizen_K · June 18, 2012, 4:42pm

Apparently the two of you are directly connected to the web by a modem with no router present.

Do not respond to requests on ports 135-139 as they are for NETBIOS; which is about sharing files over the local network. And since there is no local network you would be sharing with unknown users.

The solution is to set the firewall to stealth settings by choosing “Block all incoming connections and make my ports stealth for everyone” in the Stealth Ports Wizard. That way you won’t get these alerts anymore. They will be discarded by the firewall.

Chrystz · June 19, 2012, 7:54am

@Eric Hello, Thanks for your response. I already have my ports stealthed…
And for me the solution was to disable NETBIOS as I do not have any other system connected in lan or a printer or other network device to connect to me.
Stealthing the port dint help for me.

@Russiancat Make sure you arent trying to broadcast to the devices on your lan.
If there are no other computers on your lan, I would advise you to disable NETBIOS.
In few cases it can’t be a virus causing this. Those IP would have been the local ip of different devices that you have connected. When you try to look up it will point to random locations.
To make sure thats not the case, check the local IP of different devices connected to your system and ifits to that ip the requests are going. and set the local ip in the range 192.168.0.0 to 192.168.255.255
and check for the nbdgram. if they also change to 192.168 then you dont have anything to worry about.

If you get the outgoing to the ips you listed even after changing your local ip, then you are having a trojan or some logger. I bet you let windows choose your local ip which is the reason for the issue as there are not many trojans which uses port 137 or 138 and a UDP connection.
Chrystz.