Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- From: "Blondie" <nobody@xxxxxxxxxxx>
- Date: Wed, 15 Oct 2008 17:15:57 -0400
Thanks for the suggestion, Susan!
I think that I will spend a bit more time myself though ... the server does
not seem to present any danger to anyone else, and it appears to be working
normally in all other aspects.
Have you used this 'WOLF' service yourself ... can you give me a URL to find
out more about what it is?
I will probably wind up restoring an older image of the system before this
problem was noticed to fix the problem in a few more days ... but if the
'WOLF' service can help me figure out how the system got messed up in the
first place I am interested in trying it.
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:Ox1lTivLJHA.728@xxxxxxxxxxxxxxxxxxxxxxx
I would advise you to call 1-866-pcsafety and ask for a Windows online
forensics analysis from the CSS Security division of Microsoft(called
WOLF). This can be run on a production system.
Blondie wrote:
Hi Miles!
Thanks for the info ... I did try a few of these already ... please see
embedded comments.
----- Original Message -----
From: "Miles Li [MSFT]" <v-mileli@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Sent: Tuesday, October 14, 2008 6:08 AM
Subject: RE: WORM? ... server generating NBT-NS (port 137) traffic on WAN
interface
Hello,
Thank you for posting here.
According to your description, I understand that:
You have a concern about the outbound port 137 traffic in the SBS
domain.
If I have misunderstood the problem, please don't hesitate to let me
know.
Suggestions:
========================
The UDP 137 is related to the NetBIOS Over TCP/IP name service. Please
try
to verify the source program that use this port with the following
steps:
1. On the SBS server command prompt, type "netstat -anob"
*** I did try using "netstat -bnop udp 3" earlier ... it does not show
anything at all at the same time as NETMON is capturing the unwanted
packets
leaving the WAN NIC.
I did run NETMON on the SBS2003 box, it did find the extraneous packets
...
they are all UDP packets
I orginally noticed these packets in the log of the external router ...
ran
a packet capture tool on that interface first, it showed only UDP - port
137
extraneous packets
It seems as if what ever program is sending these packets, it is not
using
the API that Netstat monitors
Do you know of any other Software diagnostic tools or aids that will work
with the production version of SBS2003 R1 ??? .... this almost seems like
I
would need to use a checked build version and/or some IDE or ICE tools to
discover what is going on ... I don't think I can use this approach on a
production system though.
Is there another Software diagnostic tool that you know of that I can use
for something like instruction trace logging ... and do you know the
module
names of the modules that actually control the NIC ... I think the
misbehaving program is not using the normal API to send packets, but
probably does have to use the Device Driver at least.
The -b parameter will help to display the executable involved in
creating
each connection or listening port.
2. Find out the program that use the UDP 137. If it is the [System],
please
try to check whether the netbios over TCP/IP is disabled on the NIC that
is
connected to the Internet (If the SBS server is the 2 NICs scenario).
*** Netbios over TCP/IP on the WAN NIC is disabled ... but not on either
of
the two LAN NICs
a) Click Start, point to Settings, and then click Network and Dial-up
Connection.
b) Right-click Local Area Connection, and then click Properties.
c) Click Internet Protocol (TCP/IP), and then click Properties.
d) Click Advanced.
e) Click the WINS tab, and then click Disable NetBIOS over TCP/IP.
204279 Direct hosting of SMB over TCP/IP
http://support.microsoft.com/kb/204279
What Is Computer Browser Service?
http://technet.microsoft.com/en-us/library/cc787537.aspx
NetBIOS Over TCP/IP
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnb
c_imp_wcug.mspx?mfr=true
On the virus issue, I would also like to suggest that you call Microsoft
PC
Safety telephone number, 1-866-727-2338 (1-866-PCSAFETY). This service
offers no-charge assistance for virus-related issues or questions.
Also, you can check Microsoft Security and Privacy Web site at:
http://www.microsoft.com/security/.
This Web site offers various articles, updates, tips and tricks, and
resources to protect both home and business computers from virus
infection
or attacks.
Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.
Best regards,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
.
- Follow-Ups:
- Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- From: Jim Behning SBS MVP
- Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- References:
- WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- From: Blondie
- RE: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- From: Miles Li [MSFT]
- Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- From: Blondie
- Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- From: Susan Bradley
- WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- Prev by Date: Re: SBS Backup failure - constant
- Next by Date: Re: File save won't save
- Previous by thread: Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- Next by thread: Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
- Index(es):
Relevant Pages
|
