Re: Strange Traffic to ports 139 and 137 from a machine with no data



On 1 Mar 2006 16:33:04 -0000, loki74@xxxxxxxxx <loki74@xxxxxxxxx> wrote:
Also,
I ran Procexp (Sysinternals) and tcpview (sysinternals)and th eprocess was 'system process'


Ok I have seen something like this before. In our case we got the
following from a box that was a fresh install and patched version of
2003. The systems showed that it was a system process that pops this
out. It will open a connection to 137, 139 randomlly between B class
addresses (128.1.0.1 -> 191.255.255.255) with the most between
132.0.0.0->138.0.0.0. Setting up a honeypot that would answer to
anything on the wire basically got a very standard 137, 139 discovery
packet. Once a box on the wire answered, the box would calm down and
only peep every now and then. No unknown data was sent from the box
other than these packets. Box seemed to need a B class address for
this to occur.

Microsoft didnt know what could cause this. Reloading the box with the
same patch sets would make it go away. I didnt have much to see about
this other than the above. [I do not know what registry entries etc
were turned on/off.. ]


--
Stephen J Smoogen.
CSIRT/Linux System Administrator