Jump to content

Blocking 100.64.100.6 on port 137 for Trojan -- false positive?


DrewGee
Go to solution Solved by TeMerc,

Recommended Posts

Hello, this morning MB started giving me warning pop-ups at seemingly random intervals, including just after startup and before I run any interactive programs:

Website blocked due to Trojan
If you don't want to block this website, you can exclude it from website protection by accessing Exclusions.
IP Address: 100.64.100.6
Port: 137
Type: Outbound
File: System

The following malware scans have all come up clean:

  • MB (including Rootkit scan)
  • Norton
  • AVG (quick, deep, and file)
  • Hitman Pro
  • Windows Defender (quick + some targeted file scans)

I've attached one of the Blocked Reports.

Is this likely to be a false detection?

Malwarebytes Website Blocked Report 2024-10-01 053616.txt

Link to post
Share on other sites

You need to be behind a Firewall such that NetBIOS over IP does not leak to the Internet.

A Router with a full Firewall or Firewall constructs can block egress and ingress of NetBIOS over IP.


Some notes and tips for the Router:

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
    Example:  Keep IoT devices on one network and mobile devices on another.  
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Mitigate SSID Confusion attacks [CVE-2023-52424] by avoiding credential reuse across SSIDs by using a unique password per SSID.
    Example:  One password for 2.4Ghz and a different password for 5.0Ghz.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 69, 135 ~ 139, 161, 445, 1234, 3389, 5555 and 9034
  • Many Routers support Saving and Restoring settings from a file.  It is suggested to make a backup by saving your Router's settings once it has been configured.
  • Document passwords created and store them in a safe but accessible location.


NOTES:  

  • The above suggested tips may be dependent upon one's preferences and the Router's capabilities.
  • Same rule of applying Strong Passwords on all IoT devices, never retaining the Default.

References:

  1. What is a Cable Modem?
  2. What is a Router?
  3. what is a Modem+Router?
  4. How To Reset Your Router
  5. Ports Database
  6. IANA official ports

 

 

Link to post
Share on other sites

Thanks!

I do have a full firewall both on my router and via Norton.

But before I dig into my router, there's an interesting twist:

I've just noticed that when I restart my PC, the message comes up within 5 seconds of my VPN connecting (ExpressVPN), regardless of the source it connects to.

If ExpressVPN auto-starts, but I prevent it from auto-connecting, there's no message until I manually connect. The warning can appear after that, too, but at far as I can tell it's VPN related. Which makes sense, since as I understand it only a something BIOS/network related should be trying to access an IP address in that range on that port.

That leaves me moderately comfortable ignoring this, though I still wonder whether this is a mistaken block on MBAM's part.

Link to post
Share on other sites

  • TeMerc locked this topic
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.