Security Incidents mailing list archives
Re: Strange Traffic to ports 139 and 137 from a machine with no data
From: "Stephen J. Smoogen" <smooge () gmail com>
Date: Thu, 2 Mar 2006 07:54:30 -0700
On 3/2/06, Loki 74 <loki74 () gmail com> wrote:
Well I have received a few people all exhibiting this, and say it can occur from a fresh-install, currently patched, no internet connection. I suggest we investigate more, honeypot, full diff, etc. Anyone interested in helping?
Ok I am not a windows expert.. so please somebody with more knowledge jump in. I would look for the following info between machines: Drivers loaded Patch set order Registry dump looking for data in either ascii or hex for the ip address that the box was looking for last. Finding a comon denominator may turn out that the Tornado network driver if loaded with the XYZ chipset causes it to send calls up the network stack that MS services then send data out on the network in responce to a ghost packet it thought it saw. -- Stephen J Smoogen. CSIRT/Linux System Administrator
Current thread:
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Joachim Schipper (Mar 01)
- <Possible follow-ups>
- Re: Strange Traffic to ports 139 and 137 from a machine with no data loki74 (Mar 01)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data loki74 (Mar 01)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 01)
- Message not available
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Loki 74 (Mar 02)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 02)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 01)
- Message not available
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 02)