|
Thread Index [isp-tech] RE: Tracking down 'Outbound' port 137 / 139
Turn off netbios under the Network Control Panel/TCP/IP. http://www.iss.net/security_center/advice/Exploits/Ports/137/default.htm http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm http://www.linklogger.com/TCP139.htm This isn't really out of the ordinary. Windows uses Netbios in some weird ways. I turn it off on all my servers and haven't had a problem so far. Chris -----Original Message----- From: Farrell Christeson [mailto:spamthis@...] Sent: Monday, October 11, 2004 3:05 AM To: isp-tech@isp-tech.com Subject: [isp-tech] Tracking down 'Outbound' port 137 / 139 I have notticed something on my mail server that I don't understand... or maybe I'm just in denial. After installing a stateful firewall on my Win2kPro Server a while back I notticed bursts of outbound UDP attempts from "Source port 137 to destination IP port 137" and outbound TCP "Sorce IP 1822 destination IP 139" . The destination IP when I first notticed it was always my lan IP range .255. I disregarded it as Microsoft resource sharing broadcast crap and put hunting it down someware towards the bottom of the 'to do' list. The other day I just happened to be watching the live log in the firewall , I was actually working on a connection issue someone was having with connecting to that server, when I notticed one of those blocked outgoing port 137's wasn't to my network. The firewall allows me to right click the events and look up who owns the IP... it was an IP belonging to AutoDesk.com. First thoughts " Ok, if this is just MS sharing crap, were did my server come up with the IP for AutoDesk and why is it trying to talk to AutoDesk on 137 in the first place". I went digging through the logs to see if at any point a connection from any AutoDesk IP had been made to my server ( it is a mail server after all ) but instead ran into dozens of other events were my server had attemted to connect to other networks on port 137 and 139. Now I wanted the answer to two questions - why is my server trying to connect to port 137 / 139 on other networks and - where is it getting the IP's for these networks because my firewall shows no refrence to these IP's anywere other than when my server tries to connect to them on those two ports. I have ran everything from AVG AntiVirus to Trend Micro Antivirus (online Housecall and downloaded their tialware). Nothing has found a single thing on the system. I even ran Adaware and SpyBot S&D but nothing. Hijackthis , and host of trojan / worm / virus detectors... nothing. How do I hunt this thing down ? Is this normal ? Even if it is, were is my server getting the IP's from in the first place. Yes it is a mail server but the ip's it try's to connect to show up nowere else , I can see all the port 25 traffic but I never see were any of the IP's it tries to connect to show up as ever sending / receiving email to / from the server. I know that the process doing it is " System " but that is all any software I have found so far can tell me. I have run a dozen programs that should be able to tell me what is opening those ports. The most any program has been able to tell me so far is this : System:8 TCP gotrainemail:microsoft-ds gotrainemail:0 LISTENING System:8 TCP netbios-ssn gotrainemail:0 LISTENING System:8 TCP gotrainemail:1892 localhost:microsoft-ds TIME_WAIT System:8 UDP gotrainemail:microsoft-ds *:* System:8 UDP train10.train.missouri.org:netbios-ns *:* System:8 UDP train10.train.missouri.org:netbios-dgm *:* That is a paste from Sysinternals TCPView , and it shows pretty much the same thing everything else does. I know it is the microsoft-ds and -ns doing it. I have shut off every Service on the server I do not need , I have nothing running that has anything to do with file / print sharing. The box runs as a stand alone server and it does not have any DNS / DOMAIN or any other services running on it. I have hunted down every process running that I can find and none of them are 'obviously' something that should not be there. " System" does indeed show up in everything I have as PID 8 , I can't kill it even if I wanted to. All other process , in every program I have tried show no only the Process and PID but the name/location of whatever is running it or whatever called whatever is runnning the process , except for this one. Nothing shows anything about this mysterious Process number 8 other than it is 'System'. Any suggestions ? Anyone knows of a program that might help to hunt this thing down ? Or is this normal on a MS Win2k box ? I'm running Win2kPro Server all patches current (SP4+) Visnetic MailServer Visnetic Firewall for Servers MS SQL 7 Server Nothing else... not even an email client on the machine. Thank you in advance for any help or suggestions. Farrell Christeson _____________________________________________________ ** ISPCON Fall 2004 - Santa Clara Convention Center ** ** The ISP and WISP event - http://www.ispcon.com ** ** Register at the current rate and bring a buddy too for only $350. ** ________________________________________________________ To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _____________________________________________________ ** ISPCON Fall 2004 - Santa Clara Convention Center ** ** The ISP and WISP event - http://www.ispcon.com ** ** Register at the current rate and bring a buddy too for only $350. ** ________________________________________________________ To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Thread Index |
|
