Re: a different, stranger port 137 activity

From: H C (keydet89@yahoo.com)
Date: 10/19/02 

Date: Sat, 19 Oct 2002 04:08:22 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: "Wisniewski, Michael" <wiz@anl.gov>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>

Mike,

> We've been experiencing a lot of strange port 137
> traffic from one
> of our IP's behind our firewall to somewhere
> offsite. I've been trying to
> track it down but I have been unsuccessful at it.

It sounds as if you have been successful...you've
determined that it's coming from one of your machines,
and going off-site.
 
> But, when I looked at the
> machine, the machine didn't
> have any of the files associated with that
> virus/trojan.

Can you be more specific w/ regards to what you're
referring to? Did you do a search? Or did you run
A/V software?

> Now all this was happening to a web
> server / real audio server for awhile now.

When you say "happening to", do you mean that the
traffic is originating from this box, or is this box
receiving the traffic?
 
> Any help would be greatly appreciated! I just
> don't quite
> understand how this IP is getting through our
> firewall since there are no
> conduits open on port 137.

Your tcpdump shows that the packets are UDP datagrams,
so the term "conduit" doesn't necessarily apply.
Looking at the dump you provided, the traffic looks
pretty normal...NetBIOS name requests going from
machine to machine. One way to test this is to get a
copy of fport.exe from FoundStone's site, and run
that...then see which process is bound to that port.

Again...it looks pretty normal. You said that this
traffic was associated w/ a web server...IIS attempts
a name lookup for the IPs that make connections to GET
web pages, and one of the ways it does the lookup is a
NetBIOS name request.

HTH

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
    (microsoft.public.win2000.security)