Port 138 traffic sent to non-existant servers (XP Pro machines only)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jonathon (anonymous_at_discussions.microsoft.com)
Date: 05/03/04 

Date: Mon, 3 May 2004 06:33:02 -0700

I have a NT4 domain with 10 subnets geographically
seperated connected by frame relay. Each of these
locations has several xp pro machines. While watching
the firewall logs I have noticed a lot of udp port 138
traffic originating from almost all of these xp machines
(they hit the firewall because these servers used to be
on subnets that are no longer part of our network, and
the gateway of last resort is the firewall.)

The servers they are trying to reach did exist at one
time (3 or more years ago). I have checked wins to
ensure there are no entries for these servers and there
are no entries. The automatic DNS zones are also clear
of any stale entries. The odd thing is that it only
comes from xp machines. The NT and 9x machines (70% of
the pcs on the network) do not have this problem. I
originally thought it might be virus related but my
orginazation has several layers of protection and I've
physically visited some pc's to verify they are not
infected. All these PC's have their security patches up
to date as well.

As I said the problem occurs on almost every xp pc,
including a new HP laptop I just pulled out of the box
today. I'm not sure where the problem lies, maybe its in
the network and only xp can "see" these stale server
entries. The pc's are all on DHCP, and I have verified
that no stale server entries exist in their respective
scopes.

Any other thoughts as to what this could be is
appreciated. Thanks!

Relevant Pages

  • Re[3]: What can make DNS lookups slow? [semi-solved]
    ... My problem was that DNS lookups from and through my debian firewall ... My ISP's DNS servers are handing back replies from ... the machines inside the firewall, then I'd love to hear of it. ... # means that it queries the dmz server for everything ...
    (Debian-User)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >pipes and the attacks fill the pipes and cause all the other ISP ... looks like the packets are going through some rather odd machines. ... Well, a dual firewall, with a DMZ full of public servers in between, ...
    (comp.unix.sco.misc)
  • Re: Norton Personal Firewall 2003
    ... Most applications do not get rid of all the registry ... entries when you do an uninstall from the control panel applet. ... NPF is trying to make their firewall less ... So i'm using nav on all machines, ...
    (comp.security.firewalls)
  • REPLIES TO EVERYONE, THANKS!
    ... First a clarification. ... The servers are dual xeon 2.88 machines so they are overkill as it is. ... if you're servers are safely behind a good firewall?" ...
    (comp.security.firewalls)
  • REPLIES TO EVERYONE, THANKS!
    ... First a clarification. ... The servers are dual xeon 2.88 machines so they are overkill as it is. ... all if you're servers are safely behind a good firewall?" ...
    (comp.security.firewalls)