Mike, > We've been experiencing a lot of strange port 137 > traffic from one > of our IP's behind our firewall to somewhere > offsite. I've been trying to > track it down but I have been unsuccessful at it. It sounds as if you have been successful...you've determined that it's coming from one of your machines, and going off-site. > But, when I looked at the > machine, the machine didn't > have any of the files associated with that > virus/trojan. Can you be more specific w/ regards to what you're referring to? Did you do a search? Or did you run A/V software? > Now all this was happening to a web > server / real audio server for awhile now. When you say "happening to", do you mean that the traffic is originating from this box, or is this box receiving the traffic? > Any help would be greatly appreciated! I just > don't quite > understand how this IP is getting through our > firewall since there are no > conduits open on port 137. Your tcpdump shows that the packets are UDP datagrams, so the term "conduit" doesn't necessarily apply. Looking at the dump you provided, the traffic looks pretty normal...NetBIOS name requests going from machine to machine. One way to test this is to get a copy of fport.exe from FoundStone's site, and run that...then see which process is bound to that port. Again...it looks pretty normal. You said that this traffic was associated w/ a web server...IIS attempts a name lookup for the IPs that make connections to GET web pages, and one of the ways it does the lookup is a NetBIOS name request. HTH __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 20 2002 - 21:01:45 PDT