Re: comp.os.linux.networking

This sounds similar to a "NetBios Echo", which you can prevent by
turning off "OK to use NetBIOS 137" on WallWatcher's LOGGING menu.

If you do that and the problem goes away, it probably was an Echo: if
that option's ON, then when WW does an rDNS lookup (convert URL to IP)
and your ISP's Nameserver can't resolve the IP, Windows automatically
send the request again, but this time, it sends it to the IP address
itself, asking for identification. It rarely gets a reply, but may
need a minute or so to time-out the request. More importantly, your
address has been sent to the remote IP, and if happens to be a hacker,
he now has confirmation of a valid address (yours). Since you're
behind two firewalls (the router's and your software firewall), your
computer's almost certainly safely protected, but it would be better to
not have your network sending out that information in the first place.

WallWatcher isn't sending your address to those remote sites, it's only
asking Windows to find the URL of an IP. However, there are two ways
to do that, and the NetBios (port 137) approach can result in
contacting the remote site. The other, more modern approach, makes the
request only through port 53, and those do not go to unknown remote
sites. That method is used when the "NetBIOS 137" option's turned off:
WW asks Windows to do the lookup, but in a way that won't use NetBIOS.
The advantages of the non-NetBIOS method are 1) it's more secure, and
2) it's generally faster when there's no answer. The drawback is that
the NetBIOS approach has a greater chance of finding the URL.

The original NetBIOS Echo situation usually received probes on port
137, rather than on 1026 or 1027. Either the hackers have gotten more
subtle or these 1026/1027 Inbounds are coincidental to the port 137
Outbounds. Personally, I'm not a great believer in that kind of
coincidence.

If you try turning that option off, please post your results here.
Thanks.

Dan Tseng (WallWatcher author)

.