RE: Internal Machine making many attempts to connect to Internet on 137

["Robert Graham" <list-focus-incidents () robertgraham com>]

> I wouldn't be so quick to cry foul.  The connections to port 137 seem to be
> just regular NetBios name requests.  Windows tries to figure out what is the
> name of the machine on the other end of some connection, and failing to find
> it in DNS, it does a NetBios lookup.  

You might want to read my writeup on netbios:
http://www.robertgraham.com/pubs/firewall-seen.html#netbios

A good bet is that the server is Windows based, and is either resolving
addresses in real-time, or posting processing logfiles. It might
be the line:
168   MHSS           ->  80    TCP   D:\STATISTICSSERVER\MHSS.EXE  
Which is probably doing all the reverse resolutions.

Note that you've got the Compaq process running:
216   Surveyor       ->  2301  TCP   C:\compaq\survey\Surveyor.EXE 
Very bad -- wide open root exploit on this service.

You've also got SNMP running. Likewise bad.

I'm assuming these process 2301 and 161 are firewalled :-)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com