Security Incidents mailing list archives

Re: Strange Traffic to ports 139 and 137 from a machine with no data

From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Tue, 28 Feb 2006 17:50:55 -0500

On 28 Feb 2006 16:31:55 -0000, loki74 () gmail com <loki74 () gmail com> wrote:

Hello all,
 I have a machine that is sending out empty data packets destined to random ip addresses with a destination port of 
137 and 139.  All the IP Addresses seem to be a military and NOC location.  I have attached some of the IP's below.  
I have ran antivirus, anti-spyware and rootkit detectors (sysinternals, and f-prot) all came up empty.  I had found 
one other person on the internet that seemed to have this problem, but no resolution. Any ideas?


Find when the traffic started and try to correlate suspicious log
entries and file timestamps to the start of the traffic.

Also try netstat -avonb (the -b being the important one) if this is an
XP box, and look for suspicious bindings to the above mentioned ports.

Also, take the HDD of the offending PC and hook it up as a slave
device to another winbox, this is the only for-sure method of finding
a rootkit

-JP

Current thread:

Strange Traffic to ports 139 and 137 from a machine with no data loki74 (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Kyle Maxwell (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Dude VanWinkle (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Mark Owen (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stef (Feb 28)