Re: UDP Port 137 Question

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <Law15-F11gJCSij2iVE0005941d () hotmail com>


> Please help me to isolate what I am facing?  This should not be a normal 
> Traffic Pattern, since only couple of my servers are producing this traffic

Okay, so you've got A/V running and you've looked for specific bits of malware.  So perhaps it's safe to assume, for 
now, that these servers aren't infected.

So, what services are these systems running?  Are either one running IIS?  What about other processes?  You're likely 
going to find that the Windows system itself is using UDP 137, but there may be some other activity causing this 
traffic...have you tried correlating the running processes and services with the output of process-to-port mapping tool 
such as openports.exe (better than fport)?  Have you tried scanning the systems using nmap, then correlating that 
output to the process-to-port mapping tool, and netstat?

My point is that the traffic could be legit...I seem to remember from a while ago that systems running IIS would 
attempt to do name lookups of clients, using the NetBIOS name requests.  However, I can't say that such would be the 
case now, or with this traffic...so I'm trying to prompt you to collect more information. 

Another option would be to run Ethereal and capture the entire contents of the UDP datagrams...

HTH,

Harlan

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------