Security Basics mailing list archives
Re: UDP Port 137 Question
From: H Carvey <keydet89 () yahoo com>
Date: 21 Jan 2004 14:18:31 -0000
In-Reply-To: <Law15-F11gJCSij2iVE0005941d () hotmail com>
Please help me to isolate what I am facing? This should not be a normal Traffic Pattern, since only couple of my servers are producing this traffic
Okay, so you've got A/V running and you've looked for specific bits of malware. So perhaps it's safe to assume, for now, that these servers aren't infected. So, what services are these systems running? Are either one running IIS? What about other processes? You're likely going to find that the Windows system itself is using UDP 137, but there may be some other activity causing this traffic...have you tried correlating the running processes and services with the output of process-to-port mapping tool such as openports.exe (better than fport)? Have you tried scanning the systems using nmap, then correlating that output to the process-to-port mapping tool, and netstat? My point is that the traffic could be legit...I seem to remember from a while ago that systems running IIS would attempt to do name lookups of clients, using the NetBIOS name requests. However, I can't say that such would be the case now, or with this traffic...so I'm trying to prompt you to collect more information. Another option would be to run Ethereal and capture the entire contents of the UDP datagrams... HTH, Harlan --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- UDP Port 137 Question John Smithson (Jan 20)
- Re: UDP Port 137 Question JGrimshaw (Jan 21)
- Re: UDP Port 137 Question JGrimshaw (Jan 26)
- <Possible follow-ups>
- Re: UDP Port 137 Question H Carvey (Jan 21)
- Re: UDP Port 137 Question Jeff Friend (Jan 21)
- Re: UDP Port 137 Question H Carvey (Jan 22)
- RE: UDP Port 137 Question Mark A. Villanova (Jan 26)
- RE: UDP Port 137 Question P Cannon (Jan 27)
- RE: UDP Port 137 Question Sarbjit Singh Gill (Jan 28)
- Re: UDP Port 137 Question John LeMay (Jan 28)
- RE: UDP Port 137 Question P Cannon (Jan 27)
- RE: UDP Port 137 Question Darrell Porter (Jan 27)
- RE: UDP Port 137 Question JGrimshaw (Jan 27)
- RE: UDP Port 137 Question Darrell Porter (Jan 28)
- RE: UDP Port 137 Question Patrick A. Middleton (Jan 28)
(Thread continues...)