Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface

Why have you jumped to the worm conclusion? Not to be blunt, but usually people who jump to conclusions have knowingly been using less than good practices so they have a reason to have such a suspicion. Personally I'd think of a potentially bad program update/patch or a new install might legitimately be causing the traffic. Another possibility is that another computer on the network is channeling through the SBS server since you mentioned a WAN NIC, so I have to assume you are running 2 nics and SBS is tunneling LAN traffic. Jumping to a worm seems like quite a leap.

So first, lets check a few things:

1) Run a good packet logging system BETWEEN your SBS LAN (NOT WAN!) Nic and the switch/hub to the rest of your network. There is no use chasing down packets on your SBS box if they aren't originating there. We have to target monitoring on the LAN interface because your router will be logging the packets as coming from SBS. Technically it is correct, they are...SBS does NAT so everything on the WAN side of the link will appear to the router as originating from the SBS server. Not very helpful.

2) Once you have determined without question which machine is generating the unexpected traffic then you can grab TCPview from sysinternals (www.microsoft.com/sysinternals) and use it to try and find the program opening the port on the offending machine. From there you will at least be armed with information about the process and do some google searching. Until you know *what* is trying to throw packets outside of your network, you can't go about fixing it, or even assuming you know what the problem is.

Hope that helps,

-Cliff



"Blondie" <nobody@xxxxxxxxxxx> wrote in message news:eGezIhULJHA.5060@xxxxxxxxxxxxxxxxxxxxxxx
Hi!

I think one of the SBS2003 servers that I manage recently became infected with a WORM.

I would like to find out more about what is happening, how the infection occurred, and how to prevent in the future.

Can anyone recommend a good source of info to help me figure out how to find out which program(s) are generating this traffic?

NetMonitor does pick up the outbound (port 137) packets being sent to a lot of different apparently valid IP addresses of businesses around the world. The WAN interface does have an external router ... with only ports 25, 443, 4125 allowed for inbound ... all SMB outbound (incl port 137) is blocked.

On Oct 10 I noticed that the syslog data from the router went from an average of a few hundred entries per day to about 1,000 per hour ... only rejected packets and errors are logged. Other than scheduled tasks (incl weekely reboot using shutdown /r) nobody has logged on to this server for at least a few days before this unauthorized network activity started. ???

Nobody had logged on to the server for about 10 days prior to this problem being noticed in the Syslog files ... and no applications are running on the server that is generating the NBT - NS traffic. The WAN NIC has NetBios over TCP/IP disabled.

I cannot see anything obvious ... and cannot locate the specific program that is generating this traffic. There is not even a noticeable difference in system activity.

Have any of you had any experience trouble shooting this type of problem with Windows SBS2003 server? I would like to start out by finding which program(s) are genverating these UDP packets ... and where the list of target IP addresses is coming from.

Because the external router is blocking the unwanted packets I think I can leave it running as is to diagnonse the problem ... at least for a few more days.

Blondie

.

Loading