# Little Snitch keeps alerting me! What is NMDB?



## stizz (Jan 3, 2004)

And why the hell does it keep wanting to access various urls with .nl and .ws suffixxes? 

I fear the worst, spyware? malware? something wants to constantly report home. Little snitch tells me that it is an application callled "nmdb". a search of my system turned up no such app.

 

The application "nmbd" wants to connect to dup-200-64-161-252.prodigy.net.mx on UDP port 1027

The application "nmbd" wants to connect to 237-ZARA-X13.libre.retevision.es on UDP port 1031 (iad2)


----------



## xauxau (Jan 3, 2004)

stizz said:
			
		

> (nmbd question)
> 
> I fear the worst, spyware? malware? something wants to constantly report home. Little snitch tells me that it is an application callled "nmdb". a search of my system turned up no such app.



It's part of SAMBA, and is used for Windows network share name browsing.

Xau


----------



## stizz (Jan 3, 2004)

so it is innoculous? or does that mean my mac is trying to contact windoze machines? i just got this one most recently: 

The application "nmbd" wants to connect to ipdial-247-144.info.com.ph on UDP port 1025 (blackjack)


----------



## stizz (Jan 3, 2004)

The application "nmbd" wants to connect to daol-148-235-239-170.atdn.aol.com on UDP port 1031 (iad2)


----------



## stizz (Jan 3, 2004)

oops


----------



## bweylock (Feb 20, 2005)

stizz said:
			
		

> so it is innoculous? or does that mean my mac is trying to contact windoze machines? i just got this one most recently:
> 
> The application "nmbd" wants to connect to ipdial-247-144.info.com.ph on UDP port 1025 (blackjack)


Did you ever get an answer anywhere to this question? Boggles my mind that only the two of us would be curious about this. You're the only other person mentioning this in all my google and macfixit searches.


----------



## Darkshadow (Feb 20, 2005)

If you're not connecting to Windows machines or letting them connect with Samba, go into the Sharing preference pane and deselect "Windows Sharing" - that'll stop the messages.


----------



## bweylock (Feb 20, 2005)

Thanks. I do know how to stop them and how to turn off Windows sharing. The problem is that I do need to connect to the PC rather frequently and need to connect to the overall LAN to do any printing.

The other is that I want to know what is going on and why no one seems upset about it. Seems to me that a lot of people have Windows sharing enabled for very good reasons and are probably defenseless against these events.

Yes?

Thanks again.


----------



## nixgeek (Feb 20, 2005)

It's possible that it could be the work of a spammer using the Windows Messaging Service (not MSN messenger, but the Windows Messenger dialogue window that you get when you use "net send" on NT/2K/XP or WinPopUp on Win9x) to deliver spam messages.

If you are not sharing out to Windows machines, turn off Windows Sharing.


----------



## Damrod (Feb 22, 2005)

bweylock said:
			
		

> Thanks. I do know how to stop them and how to turn off Windows sharing. The problem is that I do need to connect to the PC rather frequently and need to connect to the overall LAN to do any printing.
> 
> The other is that I want to know what is going on and why no one seems upset about it. Seems to me that a lot of people have Windows sharing enabled for very good reasons and are probably defenseless against these events.
> 
> ...



hm, you could do a whois or a trace to find out where the machine is, and what exactly is it's name.

You say, you have to connect to a windows network... ask the administrator of the network if he knows the hostnames and/or Ip-adresses (I persume you mean a company network, it's not 100% clear from your post). If you don't have to provide data for the windows machines, turn of Windows File Shareing. For safetys sake alone. 

Best thing would really be to locate the machines Nmdb want to connect to, and to find out if the machines are inside or outside of the LAN. If they're inside, I persume it's standard SAMBA traffic, if they're outside, I would deny the connect for nmdb to the servers.


----------



## pds (Feb 22, 2005)

My machine was doing  that and I just told it not to allow it ever. I don't network with pc's much and if I do, I'll just turn off little snitch.

no problems since then. I figure it's those pesky ads in html mail.


----------



## Mephisto (Feb 22, 2005)

It is likely an infected PC scanning for other boxes to infect.  Port 1025 is a well known vector for a Windows based worm whose name is escaping me at the moment.  If you have a firewall external to your Mac try blocking ports 1025-1031 for everything outside the local subnet.   

The problem with the MAC OS X firewall is two fold.  It blocks everything on a port or nothing so you can not restrict access to windows shares (as an example) to the local subnet.  Further I think in 10.3.8 you no longer can block ports used by servers that are active.  I used to run FTP and block port 21 except when I needed to receive something but now whenever I have FTP active it opens the port and does not let me close it, which I find highly annoying.


----------



## EvenStranger (Feb 24, 2005)

Sounds like the Remote Storm trojan, possibly on your PC. 

http://www.glocksoft.com/trojan_list/Remote_Storm.htm


----------



## kilamanjaro (Nov 17, 2005)

NMBD network chatter - as flagged up by 'Little Snitch' - has bugged and worried me for a long time (PowerBook G4; Tiger 10.4.3; 1.5GHz; 80GB HD; 768MB RAM). I have FINALLY discovered a solution (though not a reason) that lets you both share on a local area network AND stop nmbd from doing anything on the Net. I've tried it and 'Snitch' has been quiet ever since. I found this (from the developers of Little Snitch) on an extended Google mission:

[Note about instructions (for those who, like me, were initially puzzled by this): when you get to this point ' - Click "Choose..." to select the application type the path to nmdb (/usr/sbin/nmbd) ' AFTER selecting "Choose" you type the path (/usr/sbin/nmbd) into the top right hand window with the magnifier icon in it. A list will come up showing dark grey icons (UNIX processes), amongst which will be 'nmbd'. Select that. ].  

By the way FYI, if you want to look up any of the IP addresses nmbd tries to get to (I don't care anymore!) there's a great lookup service on http://openrbl.org/


From: On Monday, Nov 24, 2003, at 18:24 Europe/Vienna, [EMAIL PROTECTED] wrote:

Hi,

i use windows sharing on my home nertwork to connect a windows laptop to my macs. is it therefore nmbd pops up every few seconds. and is there a rule to block this permanently and to leave samba on my network working

_______________________________________________
Littlesnitch-talk mailing list
[EMAIL PROTECTED]
http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] NMBD again
Little Snitch Support
Mon, 24 Nov 2003 13:56:58 -0800

Hi,

Simply add the following rules.

nmbd Allow connections to your local network
nmbd Deny any connection.

Add the rules manually or simple change one of your existing rules.

How to add a rule manually.
- Open the Little Snitch preference pane within the "System Preferences" application.
- Click on the round "lock" button to unlock the preference pane. You will be asked for your username and password.
- By clicking "New..." you can create a new rule.
- Click "Choose..." to select the application
type the path to nmdb (/usr/sbin/nmbd)
- Permission: Select "Allow"
- Server: Select "Any" in your case "local network"
- Port: Select "Any"
- Protocol: Select "Any"
- Click the save Button.

Best regards,
Karl Schwarzott
--
Objective Development
http://www.obdev.at/

Peace,

Kilamanjaro

"Oh do pay attention 007. In the wrong hands, this new Dual-core 3.5GHz PowerBook Intel Mac could be very dangerous."


----------

