Previous 1 2 Next 17 Replies Latest reply: Aug 5, 2014 1:40 PM by mark133
Blutopia Level 1 Level 1 (0 points)

netbiosd keeps opening connections to random IP addresses (usually an overseas ISP). Since installing LittleSnitch I've blocked 5 of these connections (2 ISP's in the US, 1 ISP in Poland, 1 ISP in the UK), and am starting to become concerned that I might have some kind of malware.

 

I intalled ClamXav and checked the whole harddrive with the latest definition, but it didn't come up with anything.

 

Any ideas?


MacBook Pro (15-inch Early 2011), Mac OS X (10.7.2)
  • Linc Davis Level 10 Level 10 (169,695 points)

    Disable file and printer sharing and it will stop.

  • Blutopia Level 1 Level 1 (0 points)

    File and Printer sharing is not enabled. I've set a rule in Little snitch to deny all connections for netbiosd, but it concerns me that something is invoking these connections.

  • Linc Davis Level 10 Level 10 (169,695 points)

    From the netbiosd man page:

     

    netbiosd is responsible for interacting with NetBIOS networks. netbiosd registers and defends one or more NetBIOS name[s], depending on the set of configured services. It also browses and scavenges names from the NetBIOS network, making them available to the system through mDNSResponder.

  • Blutopia Level 1 Level 1 (0 points)

    Hi Linc, thanks for your responses but I'm not sure what to make of your last response. I have firewall software that is telling me netbiosd is opening sockets to IP addresses that resolve to ISP's around the world. I am not running any kind P2P software or other such networking software that would warrent such connections. The only thing I can think of is that my computer has become infected with some kind of malware, however ClamXAV is not detecting anything.

     

    I've blocked netbiosd from making any connections at the firewall, but it doesn't fix the root of the issue which is that my system is making mystery connections to IP addresses I do not recognize. I'd posted this question in hopes that someone else has experienced something similar and knows what is going on.

  • Linc Davis Level 10 Level 10 (169,695 points)

    netbiosd is not malware; it's part of the Mac OS. If you connect directly to the Internet, rather than through a router, it may try to connect to remote hosts. I'd be mildly surprised if it tried to connect through a gateway, but maybe it does.

     

    If you want to investigate further, you have several options, as detailed in the manual page. You can cause netbiosd to enter a debug mode, or to log all transmitted packets. You can also disable it by entering the following shell command as an administrator:

     

    sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist
    

     

    To reverse this action, enter the following:

     

    sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist
    
  • Blutopia Level 1 Level 1 (0 points)

    Thanks Linc! As an old Windows user I'm familiar with netbios, my concern was more that another piece of software could be using netbios to connect to other computers. I'll try putting it in debug mode and see if I can't get more detail into what it's trying to do.

  • molachai Level 1 Level 1 (0 points)

    Using LittleSnitch I have received 3 alerts from netbiosd in the past week.

    I have denied all of them after a cursory lookup of the IP addresses using various tools (whois, traceroute)

     

    The blocked entries were:

    69.70.43.102, port 137

    82.186.105.146, port 47863

    125.239.135.130, port 53659

     

    Any idea why netbiosd is trying to contact these IP addresses? I would assume this is along the same lines. I'm getting to the point where I am willing to disable/block netbiosd to keep these messages from coming up, but I don't want to risk undue wear and tear by not sleeping.

     

    I do have screen sharing enabled, but am always behind a firewall. <---don't know if this is related. File and print sharing are not enabled.

     

    Lion 10.7.4, fully updated. MBP/i7 2.6/8GB

  • Shootist007 Level 6 Level 6 (16,650 points)

    All those IPs could be a host for some software vendor and it is going out to check the license of the software you installed.

     

     

    Or you have bugs in your computers.

  • Shootist007 Level 6 Level 6 (16,650 points)

    Blutopia wrote:

     

    Thanks Linc! As an old Windows user I'm familiar with netbios, my concern was more that another piece of software could be using netbios to connect to other computers. I'll try putting it in debug mode and see if I can't get more detail into what it's trying to do.

    Right all computer today connect to other computers all over the net every time they are started or when you start certain programs. This is common to check for updates and licenses and all sorts of stuff.

     

    If you watch your routers logs you will see connections going out all the time. Nothing new here.

  • Blutopia Level 1 Level 1 (0 points)

    Are you connected to a VPN? For me personally, after looking at the NETBIOSD connection requests in LittleSnitch a little more carefully they weren't outbound connections, they were inbound connection requests. Since I was tunneled right through my router (and NATing firewall) it meant that anyone connected to the same VPN could request connections directly with my computer. I disabled NETBIOSD to temporarily solve the problem, but really you need a NAT Firewall between you and the rest of the VPN to be safe as NETBIOS isn't the only protocol that can be used to connect to your computer.

  • molachai Level 1 Level 1 (0 points)

    No VPN here. I'll take a look at LittleSnitch to see if they are inbound or outbound....I'd figure inbounds would get blocked at my router but we shall see.

  • molachai Level 1 Level 1 (0 points)

    I was unable to determine inbound/outbound status. How do you do that in Little Snitch?

     

    Anyway...got about 10 popups for netbios from LS last night; got so frustrated that I decided to deny all connections for it until I get it sorted.

  • MadMacs0 Level 5 Level 5 (4,610 points)

    molachai wrote:

     

    I was unable to determine inbound/outbound status. How do you do that in Little Snitch?

    LS has an icon in the menu bar which lights green/red bars when there is inboud/outbound activity. If you hover the mouse over the bars a window will pop-up listing the processes that were last active and you can cause that window to "stay visable" with a checkbox in the upper right corner or to show automatically on network activity and a few other choices with the gear icon on the upper left.

  • molachai Level 1 Level 1 (0 points)

    Thanks!

Previous 1 2 Next