Security Incidents mailing list archives
RE: Internal Machine making many attempts to connect to Internet on 137
From: "Robert Graham" <list-focus-incidents () robertgraham com>
Date: 12 Dec 2001 00:56:15 -0000
I wouldn't be so quick to cry foul. The connections to port 137 seem to be just regular NetBios name requests. Windows tries to figure out what is the name of the machine on the other end of some connection, and failing to find it in DNS, it does a NetBios lookup.
You might want to read my writeup on netbios: http://www.robertgraham.com/pubs/firewall-seen.html#netbios A good bet is that the server is Windows based, and is either resolving addresses in real-time, or posting processing logfiles. It might be the line: 168 MHSS -> 80 TCP D:\STATISTICSSERVER\MHSS.EXE Which is probably doing all the reverse resolutions. Note that you've got the Compaq process running: 216 Surveyor -> 2301 TCP C:\compaq\survey\Surveyor.EXE Very bad -- wide open root exploit on this service. You've also got SNMP running. Likewise bad. I'm assuming these process 2301 and 161 are firewalled :-) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Internal Machine making many attempts to connect to Internet on 137 Jim Harrison (SPG) (Dec 11)
- <Possible follow-ups>
- RE: Internal Machine making many attempts to connect to Internet on 137 Robert Graham (Dec 11)