>I wouldn't be so quick to cry foul. The connections to port 137 seem to be >just regular NetBios name requests. Windows tries to figure out what is the >name of the machine on the other end of some connection, and failing to find >it in DNS, it does a NetBios lookup. You might want to read my writeup on netbios: http://www.robertgraham.com/pubs/firewall-seen.html#netbios A good bet is that the server is Windows based, and is either resolving addresses in real-time, or posting processing logfiles. It might be the line: 168 MHSS -> 80 TCP D:\STATISTICSSERVER\MHSS.EXE Which is probably doing all the reverse resolutions. Note that you've got the Compaq process running: 216 Surveyor -> 2301 TCP C:\compaq\survey\Surveyor.EXE Very bad -- wide open root exploit on this service. You've also got SNMP running. Likewise bad. I'm assuming these process 2301 and 161 are firewalled :-) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 18:54:45 PST