Security Incidents mailing list archives
Re: a different, stranger port 137 activity
From: H C <keydet89 () yahoo com>
Date: Sat, 19 Oct 2002 04:08:22 -0700 (PDT)
Mike,
We've been experiencing a lot of strange port 137 traffic from one of our IP's behind our firewall to somewhere offsite. I've been trying to track it down but I have been unsuccessful at it.
It sounds as if you have been successful...you've determined that it's coming from one of your machines, and going off-site.
But, when I looked at the machine, the machine didn't have any of the files associated with that virus/trojan.
Can you be more specific w/ regards to what you're referring to? Did you do a search? Or did you run A/V software?
Now all this was happening to a web server / real audio server for awhile now.
When you say "happening to", do you mean that the traffic is originating from this box, or is this box receiving the traffic?
Any help would be greatly appreciated! I just don't quite understand how this IP is getting through our firewall since there are no conduits open on port 137.
Your tcpdump shows that the packets are UDP datagrams, so the term "conduit" doesn't necessarily apply. Looking at the dump you provided, the traffic looks pretty normal...NetBIOS name requests going from machine to machine. One way to test this is to get a copy of fport.exe from FoundStone's site, and run that...then see which process is bound to that port. Again...it looks pretty normal. You said that this traffic was associated w/ a web server...IIS attempts a name lookup for the IPs that make connections to GET web pages, and one of the ways it does the lookup is a NetBIOS name request. HTH __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- a different, stranger port 137 activity Wisniewski, Michael (Oct 18)
- Re: a different, stranger port 137 activity H C (Oct 20)
- Hiding IP addresses in trace data John Kristoff (Oct 21)
- Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
- Re: Hiding IP addresses in trace data Russell Fulton (Oct 21)
- Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
- <Possible follow-ups>
- Re: a different, stranger port 137 activity daniele.muscetta (Oct 24)