Security Incidents mailing list archives

Re: Strange Traffic to ports 139 and 137 from a machine with no data

From: Stef <stefmit () gmail com>
Date: Tue, 28 Feb 2006 16:18:30 -0600

Can you set up a packet capture of some sort (windump, tethereal),
with whole frame snaplength (-s 1514), and analyze or post the
results?

Stef

On 28 Feb 2006 16:31:55 -0000, loki74 () gmail com <loki74 () gmail com> wrote:

Hello all,
 I have a machine that is sending out empty data packets destined to random ip addresses with a destination port of 
137 and 139.  All the IP Addresses seem to be a military and NOC location.  I have attached some of the IP's below.  
I have ran antivirus, anti-spyware and rootkit detectors (sysinternals, and f-prot) all came up empty.  I had found 
one other person on the internet that seemed to have this problem, but no resolution. Any ideas?

<snip>

Current thread:

Strange Traffic to ports 139 and 137 from a machine with no data loki74 (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Kyle Maxwell (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Dude VanWinkle (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Mark Owen (Feb 28)
- Re: Strange Traffic to ports 139 and 137 from a machine with no data Stef (Feb 28)