Network Security: Detailed info on Re: Strange Traffic to ports 139 and 137 from a machine with no data

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Incidents

[Top] [All Lists]

Re: Strange Traffic to ports 139 and 137 from a machine with no data

from [Stephen J. Smoogen] Network Security

[Permanent Link]

Subject:	Re: Strange Traffic to ports 139 and 137 from a machine with no data
Date:	Thu, 2 Mar 2006 07:54:30 -0700

On 3/2/06, Loki 74 <loki74@gmail.com> wrote:

Well I have received a few people all exhibiting this, and say it can
occur from a fresh-install, currently patched, no internet connection.
 I suggest we investigate more, honeypot, full diff, etc. Anyone
interested in helping?


Ok I am not a windows expert.. so please somebody with more knowledge
jump in. I would look for the following info between machines:

Drivers loaded
Patch set order
Registry dump

looking for data in either ascii or hex for the ip address that the
box was looking for last. Finding a comon denominator may turn out
that the Tornado network driver if loaded with the XYZ chipset causes
it to send calls up the network stack that MS services then send data
out on the network in responce to a ghost packet it thought it saw.





--
Stephen J Smoogen.
CSIRT/Linux System Administrator

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Strange Traffic to ports 139 and 137 from a machine with no data, Kyle Maxwell Re: Strange Traffic to ports 139 and 137 from a machine with no data, Dude VanWinkle Re: Strange Traffic to ports 139 and 137 from a machine with no data, Mark Owen Re: Strange Traffic to ports 139 and 137 from a machine with no data, Stef Re: Strange Traffic to ports 139 and 137 from a machine with no data, Joachim Schipper Re: Strange Traffic to ports 139 and 137 from a machine with no data, loki74 Re: Strange Traffic to ports 139 and 137 from a machine with no data, loki74 Re: Strange Traffic to ports 139 and 137 from a machine with no data, Stephen J. Smoogen Message not available Re: Strange Traffic to ports 139 and 137 from a machine with no data, Loki 74 Re: Strange Traffic to ports 139 and 137 from a machine with no data, Stephen J. Smoogen <= Message not available Re: Strange Traffic to ports 139 and 137 from a machine with no data, Stephen J. Smoogen

Previous by Date:	Re: Strange Traffic to ports 139 and 137 from a machine with no data, Stephen J. Smoogen
Next by Date:	Re: Strange Traffic to ports 139 and 137 from a machine with no data, Loki 74
Previous by Thread:	Re: Strange Traffic to ports 139 and 137 from a machine with no data, Loki 74
Next by Thread:	Re: Strange Traffic to ports 139 and 137 from a machine with no data, Stephen J. Smoogen
Indexes:	[Date] [Thread] [Top] [All Lists]