Security Incidents mailing list archives
Re: Strange Traffic to ports 139 and 137 from a machine with no data
From: "Loki 74" <loki74 () gmail com>
Date: Thu, 2 Mar 2006 09:45:26 -0500
Well I have received a few people all exhibiting this, and say it can occur from a fresh-install, currently patched, no internet connection. I suggest we investigate more, honeypot, full diff, etc. Anyone interested in helping? On 3/2/06, LE Backup <lucretias () shaw ca> wrote:
Sorry for the oversimplification, but are you saying this is normal? Is there anyone from Microsoft that would care to comment on this? Cheers, James Friesen, CIO Lucretia Enterprises "Our World Is Here..." Info at lucretia dot ca http://lucretia.ca-----Original Message----- From: Stephen J. Smoogen [mailto:smooge () gmail com] Sent: Wednesday, March 01, 2006 12:35 PM To: loki74 () gmail com Cc: incidents () securityfocus com Subject: Re: Strange Traffic to ports 139 and 137 from a machine with no data On 1 Mar 2006 16:33:04 -0000, loki74 () gmail com <loki74 () gmail com> wrote:Also, I ran Procexp (Sysinternals) and tcpview (sysinternals)andth eprocess was 'system process'Ok I have seen something like this before. In our case we got the following from a box that was a fresh install and patched version of 2003. The systems showed that it was a system process that pops this out. It will open a connection to 137, 139 randomlly between B class addresses (128.1.0.1 -> 191.255.255.255) with the most between 132.0.0.0->138.0.0.0. Setting up a honeypot that would answer to anything on the wire basically got a very standard 137, 139 discovery packet. Once a box on the wire answered, the box would calm down and only peep every now and then. No unknown data was sent from the box other than these packets. Box seemed to need a B class address for this to occur. Microsoft didnt know what could cause this. Reloading the box with the same patch sets would make it go away. I didnt have much to see about this other than the above. [I do not know what registry entries etc were turned on/off.. ] -- Stephen J Smoogen. CSIRT/Linux System Administrator_____ avast! Antivirus <http://www.avast.com> : Outbound message clean. Virus Database (VPS): 0609-1, 03/01/2006 Tested on: 3/2/2006 7:29:13 AM avast! - copyright (c) 1988-2005 ALWIL Software.
Current thread:
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Joachim Schipper (Mar 01)
- <Possible follow-ups>
- Re: Strange Traffic to ports 139 and 137 from a machine with no data loki74 (Mar 01)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data loki74 (Mar 01)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 01)
- Message not available
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Loki 74 (Mar 02)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 02)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 01)
- Message not available
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stephen J. Smoogen (Mar 02)