Re: Strange Traffic to ports 139 and 137 from a machine with no data



On 3/2/06, Loki 74 <loki74@xxxxxxxxx> wrote:
Well I have received a few people all exhibiting this, and say it can
occur from a fresh-install, currently patched, no internet connection.
I suggest we investigate more, honeypot, full diff, etc. Anyone
interested in helping?


Ok I am not a windows expert.. so please somebody with more knowledge
jump in. I would look for the following info between machines:

Drivers loaded
Patch set order
Registry dump

looking for data in either ascii or hex for the ip address that the
box was looking for last. Finding a comon denominator may turn out
that the Tornado network driver if loaded with the XYZ chipset causes
it to send calls up the network stack that MS services then send data
out on the network in responce to a ghost packet it thought it saw.





--
Stephen J Smoogen.
CSIRT/Linux System Administrator



Relevant Pages

  • Removing NET_NEEDS_GIANT: first patch
    ... This source code declaration was used by optionally compiled components to declare a strict requirement for Giant, and forced Giant over the entire network stack. ... retrieving revision 1.13 ... diff -u -r1.13 amrr.c ...
    (freebsd-arch)
  • Removing NET_NEEDS_GIANT: first patch
    ... This source code declaration was used by optionally compiled components to declare a strict requirement for Giant, and forced Giant over the entire network stack. ... retrieving revision 1.13 ... diff -u -r1.13 amrr.c ...
    (freebsd-current)
  • Adding NAT-T to openiked on FreeBSD
    ... The 192.168.0.0/24 network is the private network here. ... esp-udp mode=tunnel spi=3488009807 ... diff: 60hard: 10800soft: 9741 ... out ipsec ...
    (freebsd-net)
  • Re: Getting short random disconnects... And is there a way to extend the time outs?
    ... The suggestion doesn't seem to be helping. ... > fiddling with the network stuff so that might had affected it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: reading USB port on old Thinkpad
    ... before you plug in the thumbdrive and then again after, $dmesg> post-plug.txt ... after you plug in the drive). ... I did both a diff and visually compared both files and there is no difference. ... Once you get a network setup, then you can use rsync, rcp, or even email ...
    (Debian-User)