Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System.exe and Port 137


  • Please log in to reply
9 replies to this topic

#1 HeyWhoa

HeyWhoa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 02 April 2009 - 05:32 PM

Hey everybody,

First of all I checked the forums on the board here and I thought this seemed like the place to put my question, however I apologize if it isn't. Also I am new to firewalls and don't know much about IP address and nothing about ports and stuff like that so for all I know this problem could be perfectly normal.

Anyway, when I first installed the Comodo firewall it popped up saying that System is trying to receive a connection from the internet. And under “Security Considerations” it said “System is a safe application. However, you are about to receive a connection from another computer. If you are not sure about what to do, you should block this request.” Connection from another computer? :thumbsup: I blocked it, not knowing if that was normal or not. Anyway, now in the Comodo logs I find that System has been blocked from running a bunch of times, like 80 times per hour, which seems like a lot to me. It also says that the "destination port" is 137 and 138, so I decided to google this and found something about "NetBIOS." Some of the things I read on this make it sound like it is a virus or something while other things I read make it sound normal, so now I am just confused. I know that Comodo is blocking it but I'd just like to know anyway if this is something bad or if it is normal, or if I should unblock it or what.

Here is part of the log:
Application Action Source IP Source Port Destination IP Destination Port Protocol
4/2/2009 10:40:03 AM System Blocked 192.168.1.1 2048 192.168.1.4 137 UDP
4/2/2009 10:40:30 AM System Blocked 192.168.1.1 2048 192.168.1.4 137 UDP
4/2/2009 10:40:59 AM System Blocked 192.168.1.1 2048 192.168.1.4 137 UDP
4/2/2009 10:41:30 AM System Blocked 192.168.1.1 2048 192.168.1.4 137 UDP
4/2/2009 10:41:43 AM System Blocked 192.168.1.3 138 192.168.1.4 138 UDP
4/2/2009 10:41:47 AM System Blocked 192.168.1.3 138 192.168.1.4 138 UDP
4/2/2009 10:41:52 AM System Blocked 192.168.1.3 138 192.168.1.4 138 UDP


That is pretty much the gist of it. It's just System from Souce IP 192.168.1.1 and Souce port 2048 trying to get to Destination IP 192.168.1.4 Destination port 137 and System from Souce IP 192.168.1.3 and Souce port 138 trying to get to Destination IP 192.168.1.4 Destination port 138, over and over. I have scanned my computer with AVG, Super Anti-Spyware and Malwarebytes Anti-Malware and nothing came up.

So is this something bad or is this normal? Should it be unblocked or should I keep blocking it?

Thanks.

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:13 AM

Posted 02 April 2009 - 09:21 PM

192.168.1.1 is your router, the others are attached computers (unless you're renamed everything, so this is my best guess to your setup).
These ports are used by the windows SYSTEM for file sharing between computers on the LAN and for printer sharing on the LAN. And even when you're not actively sharing with those other computers, they all talk to one another periodically.
So long as you keep them on the LAN side of the router, the ports are ok as is the communication. Just don't let them out to the internet.
http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP

Edited by tos226, 02 April 2009 - 09:24 PM.


#3 JamesFrance

JamesFrance

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:France/Spain
  • Local time:10:13 AM

Posted 03 April 2009 - 05:42 AM

To unblock your network with Comodo, go to the Firewall section then choose Advanced, then Network Security Policy and look for the block rule you created, then click on it and select remove.

Next time you are asked agree to the connection and you should have 2 rules like this:

Allow system to send requests if the target is in [your network name]
Allow system to receive requests if the target is in [your network name]

In the Common Tasks section, you should use the Stealth Ports Wizard to set your network as trusted unless you do not trust it.
James

#4 HeyWhoa

HeyWhoa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 04 April 2009 - 09:12 PM

Well, thanks for the help guys. Something else has been showing up in the Comodo logs

The application is “Windows Operating System”
Protocol UDP
Source IP 192.168.1.3 Source Port 137
Destination IP 192.168.1.255 Destination port 137 and
application is “Windows Operating System”
Protocol UDP
Source IP 192.168.1.1 Source Port 2058
Destination IP 239.255.255.250 Destination port 1900

Also the “System” application now is coming from Source Port 2048.

Are all of these normal?

I am probably just being overly worried but I just wanted to make sure, so apologies for all of the questions. :thumbsup:

#5 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 05 April 2009 - 07:21 PM

Well it could be something bad, just the same it could be something good... Personally I would do a search for the ip address... If the address checks out to be something ok... then I would say not to worry... Otherwise I would keep it blocked..

#6 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:13 AM

Posted 05 April 2009 - 10:31 PM

I don't use Comodo, so I don't know how they display application names.
It sounds to me like "Windows Operating System" refers to SYSTEM which runs NetBIOS connections and broadcasts.

If your router is 192.168.1.1 and another computer is 192.168.1.3 then
UDP
Source IP 192.168.1.3 Source Port 137
Destination IP 192.168.1.255 Destination port 137
means computer broadcasts the name over the LAN, that's what 192.168.1.255 means.
If you want NetBIOS to run over TCP/IP then these are totally normal entries.
Did you read the reference I posted earlier
http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP
and how to setup in Comodo that JamesFrance showed?

UDP
Source IP 192.168.1.1 Source Port 2058
Destination IP 239.255.255.250 Destination port 1900
this IP is the standard multicast address, see
http://en.wikipedia.org/wiki/Multicast_address
Your SSDP and uPnP service is running which you don't need. Nobody needs it. You can shut them off in services and definitely block them in the firewall. Block 1900 local and remote, and block 5000 remote port while you're at it. Malware loves to use those ports and in a home LAN multicast isn't needed usually.

It would really help if when you post such questions you'd tell us who is who. You can't get an answer other than guessing if you don't provide details.

Edited by tos226, 05 April 2009 - 10:37 PM.


#7 HeyWhoa

HeyWhoa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 06 April 2009 - 05:02 PM

Yes, I have read the reference that you posted but most of it makes no sense to me, and I also have setup Comodo the way JamesFrance said to. I have also disabled SSDP and UPNP and blocked the ports that you mentioned.

It would really help if when you post such questions you'd tell us who is who. You can't get an answer other than guessing if you don't provide details.


That's the thing though, I did not know who is who. I understand that a lack of information can make it tough to answer questions so when I asked this question I provided all the info that I knew, I wasn't even aware that there was more info that I should have provided, but now I know, and have found that, as you said, my router is 192.168.1.1 and another computer is 192.168.1.3. I certainly appreciated all the help that you guys have provided. :thumbsup:

#8 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:13 AM

Posted 06 April 2009 - 07:23 PM

Sure. I understand.
There is a really neat command which can tell much. If you do Start, then Run, then type "cmd" without the quotes you'll get a cmd window.
In that window you type "ipconfig /all" without the quotes and with a space before that "/"
Then you copy and paste what you saw into a post, and we'd know who is who :thumbsup:

And for other connected computers using NetBios, you can see them in TCPview
http://technet.microsoft.com/en-us/sysinte...s/bb897437.aspx
which is a little utility that shows things you're struggling with in Comodo.

And if you still want to play more shutting down the services you don't need, check this out
http://www.blackviper.com/
but please, be careful here. Don't overdo, or your computer won't boot.

#9 rainbow_warrior

rainbow_warrior

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:04:13 AM

Posted 15 August 2009 - 11:24 AM

There is a really neat command which can tell much. If you do Start, then Run, then type "cmd" without the quotes you'll get a cmd window.
In that window you type "ipconfig /all" without the quotes and with a space before that "/"
Then you copy and paste what you saw into a post, and we'd know who is who


Maybe cmd doesn't work in ME. At least my machine doesn't recognize it. Anyway, how would you turn off uPnP on ME. Is uPnP required for instant messaging?

My current ISP is a university dial-up service. So maybe there is nothing to worry about this 239.255.255.250 thing.

#10 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:13 AM

Posted 16 August 2009 - 11:29 AM

Instructions for ME
http://www.ncsu.edu/resnet/security/upnp.php
More information
http://www.grc.com/unpnp/unpnp.htm




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users