Re: Exchange Reverse Lookup on Port 137?

From: Fred Blum (h.f.blum_at_marketconnectnospam.nl)
Date: 11/24/04 

Date: Wed, 24 Nov 2004 10:17:04 +0100

After working on this with Marina we concluded that these entries in my logs
were probably caused by my stupid mistake to try and install the Ms Firewall
client on the server in an attempt to correct the AutoUpdate McAfee problems
on port 80 and 21 outbound. ISA >Sp1 doens't allow this so the installation
broke. It has been removed and the entries are now gone.

Fred

"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:uZvQ3zX0EHA.3840@tk2msftngp13.phx.gbl...
>
> Doing a windump I found that my SBS server allowed a remote connection on
> port 135. This connection was not listed in logs as blocked. I added a 135
> block all rule.
> Now conenctions are blocked.
>
> ISA should block this by default. In the past we used the internet to do a
> remote_server DTS. So I added an allow rule with destination off the
> remote site. Could this have been a possible infection. My server was
> fully patched and had a sa password.
>
> TIA,
>
> Fred
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:eUuld7K0EHA.1204@TK2MSFTNGP10.phx.gbl...
>>
>> Mariette,
>>
>> During setup I gave the sa account the same password as the
>> administrator. The sa password in the security section is not empty. I
>> see *****. On the SQL server properties I specified security to use SQL
>> and windows authentication. I've disabled and restarted. Will send the
>> ISA logs in 24h.
>> Port 137 has a package block. Furthermore I'm blocking full IP ranges in
>> Korea. GRC still gives me all green across the board except port 25.
>>
>> They are trying with a man in the middle approach. Maybe they are
>> pissed-off because we took there P2P cracked software site off the air. I
>> found an IP adress of someone nearby trying to connect. A housing coop in
>> Tilburg. I phoned there sys admins and informed that I had found there IP
>> adress in my log and that i had checked there port 445 with a port
>> scanner and found it to be open. They were reluctant at first, so
>> together with them I ran a full scan and found this IP adress completely
>> open to the Internet. It was a remote site that connected via VPN to
>> there domain. They hadn't installed a firewall.
>>
>> Fred
>> "ignorance is a bliss"
>>
>> "Mariette Knap [SBS MVP]" <mariette@smallbizserver.local> wrote in
>> message news:%23gA%23SRK0EHA.4004@tk2msftngp13.phx.gbl...
>>> In news:es$Kz6H0EHA.1932@TK2MSFTNGP09.phx.gbl,
>>> Fred Blum <h.f.blum@marketconnectnospam.nl> wrote:
>>>
>>>> searched google.com with Outbound port 137 connections.
>>>>
>>>> This exact one is:
>>>> http://groups.google.com/groups?q=outbound+port+137+connections&hl=nl&lr=&selm=a1degc%242ed%241%40canopus.cc.umanitoba.ca&rnum=1
>>>>
>>>> But there are others aswell saying that if a reverse DNS lookup fails
>>>> (spammers ?) windows will revert to trying on port 137 with Netbeui.
>>>> Reverse lookup has not been enabled on my SMTP server. I added the
>>>> local DNS server adress just in case some other process also works
>>>> with this DNS entry.
>>>
>>> Fred,
>>>
>>> I have analysed the ISA logs you send to Marina. Please disable SQL
>>> services on the SBS server, reboot the server and send me after 24 hours
>>> the ISA logs.
>>>
>>> Your server is not hacked from the outside but from the inside. I think
>>> your SQL database has a sa null password and someone inside your Lan has
>>> catched a virus like SQLSnake/Spida Worm (May 2002) or
>>> SQL-Slammer/SQL-Hell/Sapphire Worm (January 2003)
>>>
>>> --
>>> Mariėtte Knap - MVP
>>> http://www.smallbizserver.net
>>> Take part in SBS forum:
>>> http://www.smallbizserver.net/Default.aspx?tabid=154
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: LPT missing
    ... entries or those with red X or yellow!. ... parallel printer port with either an red X or yellow!. ... The PCI printer port card: check the installation manual that came with it ... additional PCI printer port, there's no problem to install the driver, ...
    (microsoft.public.windowsxp.print_fax)
  • Re: [opensuse] Results of moving ssh to a high port - Zero script kiddies in a 24 hour period.
    ... Less than 300 entries in the logs in _total_ for an entire 24 hour period. ... program scanning for invalid user logins. ... all users about port number change. ...
    (SuSE)
  • Re: Setting up a printer in W2k Pro for all users
    ... Network printer so that anyone that logs on at the computer will get it ... > I want to be able to setup a win 2k pro workstation so> that no matter which user logs in, a shared network printer will be available,> without the user having to install the printer manually. ... > to create a new Local Port and name the port \\> \. ...
    (microsoft.public.win2000.printing)
  • Is FreeBSD ready for desktop (Mozilla Flash)
    ... monitor,, somehow the install fails to detect ... "Macromedia Flash plugin is not available for FreeBSD. ... I quote again "Install the www/linuxpluginwrapper port. ... servers, ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
Loading