Jump to content

Blocking Outgoing - Port 137

NeedToKnow
 Share

Recommended Posts

NeedToKnow

NeedToKnow

Posted
Posted

Everyday I get notifications that Malwarebytes has blocked an outgoing connection to a potentially malicious website.

The IP is not always the same (as shown below) and has in fact been quite different over time but has always been OUTGOING and PORT 137.

Does anybody know what this could be and what might be accessing port 137?

I have run full virus scans with McAfee, Malwarebytes and Microsoft safety scanner and shown no infections on all three.

 

 

2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)
2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)
2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)
2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)

2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)
2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)
2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)
2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)

 

Thanks for any help.

Link to post
Share on other sites
NeedToKnow

NeedToKnow

Posted
  • Author
Posted

Everyday I get notifications that Malwarebytes has blocked an outgoing connection to a potentially malicious website.

The IP is not always the same (as shown below) and has in fact been quite different over time but has always been OUTGOING and PORT 137.

Does anybody know what this could be and what might be accessing port 137?

I have run full virus scans with McAfee, Malwarebytes and Microsoft safety scanner and shown no infections on all three.

 

 

2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)
2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)
2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)
2013/07/06 06:21:33 -0600 IP-BLOCK 46.166.168.187 (Type: outgoing, Port: 137)

2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)
2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)
2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)
2013/07/06 06:41:21 -0600 IP-BLOCK 58.64.158.218 (Type: outgoing, Port: 137)

 

Thanks for any help.

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hi, NeedToKnow: :)
 
One of those IPs is located in the Netherlands and the other is in Hong Kong.
So, it's a bit suspicious for infection.
 
The safest bet is to have one of the malware experts assist you with this.
Please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.
A qualified helper will guide you through the scanning and cleanup process.

 

Thanks,

daledoc1

 

ALSO: It appears that you have an identical, duplicate topic in the Website blocking section >HERE<?

A moderator might merge these 2 posts and/or lock/delete the duplicate post. ;)

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Port 137 is part of NetBIOS over IP.  If one is behind a NAT Router, it can be used to BLOCK inbound and outbound NetBIOS and SMB traffic.

 

The following graphics show this implemented on a Linksys Router and an ActionTec Router.  Any NAT Router has simplistic Firewall constructs.  Others may implement a full Firewall.  In either case, one should not have a computer directly connected to the Internet and should use a NAT Router for its added security benefits ( besides allowing the sharing of the Internet access among up to 253 computers and devices on the LAN side ).

 

post-14644-0-23807300-1373226355_thumb.j

 

post-14644-0-81192600-1373226379_thumb.j

Link to post
Share on other sites
NeedToKnow

NeedToKnow

Posted
  • Author
Posted

Thanks for the information daledoc1 and David.

 

David, your information was appreciated but way over my head. It did promt me to google NetBIOS and several sites suggested that NetBIOS over TCP/IP could and should be disabled.  I did so and have not had any problems and Malwarebytes has not needed to block any outgoing connections on port 137 since.

 

Hopefully this was the right thing to do.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

In general a home computer does not need NetBIOS over TCP/IP - and in a Utopian World now days even a business network would not need it but difficult to disable for many businesses due to various programs or general networking needs.

 

The IP that was being blocked is from the Netherlands

Link to post
Share on other sites
NeedToKnow

NeedToKnow

Posted
  • Author
Posted

Thanks Ron (AdvancedSetup)

 

Over the last few weeks Malwarebytes was blocking IPs from the Netherlands, Russia, China and even the U.S.

I did google the IPs to find out where they were from.

It was always outgoing through port 137 and I am still curious why my computer was trying to access these sites.

So far, since I disabled the NetBIOS over TCP/IP, the problem seems to have gone away but I just did it earlier today.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Here are a couple of links to give you a better understanding of what port 137 is used for. 

 

Port 137 Details

GRC Port Authority Database - Port 137
 

From that perspective you should be okay if you have it disabled but you might also want to run a scan and post back the logs so that we can do a basic check on your system.

 

 

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt


  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file


 

 

 

Then run this tool as well and post back the logs as attachments please.

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 

 

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept