Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port 139/445 traffic to non-existent IP?

Status
Not open for further replies.
iLinkTech

iLinkTech

IS-IT--Management
Nov 28, 2003
133
DE
Hi,

Was asked to look at syslog data for a previous client's W2K3 domain as part of a random secuirty audit (doing a favor for a friend). In his syslog I noticed something odd; one of his W2K3 SP1 file servers was intermittantly trying to communicate over ports 139/445 with the IP segment of his DMZ.

Strange thing is that the specific destination IP address does not and has never existed on his DMZ. The packet size varies but is typically around 144 bytes. Even stranger (maybe) is that even though this IP does not exist, packets with a size of 228 bytes are being returned to the file server.

Thinking that this box is in trouble, I've helped him run a number of tests, scans, etc. AV comes up clean (including heuristics and ADS), RootkitRevealer was unremarkable, spyware scanning w/ Windows Defender was unremarkable as well. The connection attempts are not consistent other than when they happen they tend to happen in pairs at 3 hour intervals; first over 139 and then over 445.

I won't pretend to know what's happening with this but if anyone has any ideas....

Thanks - it's always over the holidays... :(
 
Sort by date Sort by votes
You may have already looked at this:


Anyway, would there be any harm in running a packet sniffer? You should be able to do this on the server, and inspect what is actually being sent to the other IP, and what is being sent back.

I'm wondering if there is something "caught" if you will, in the network scheme. Has there ever been a printer, or a file server in the network. Not necessarily with that IP, but maybe with a name. Port 445 and 139 are for file/print sharing over NetBIOS over TCP. Anything in the host file?
 
Upvote 0 Downvote
Thanks tfg13 - I have seen that doc before.

As far as something "caught" - I don't know what else he might have played with in the past - I'm going out to his site tonight and will run a sniffer to see if there is anything really of interest going on. The only thing that he currently has running in the DMZ is a SMTP relay / SPAM scanner.

Thanks...will advise if it's interesting :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
1K
mangentle
mangentle
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
601
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
717
microsGuy16
microsGuy16
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
374
hairlessupportmonkey
hairlessupportmonkey
DrB0b
  • Locked
  • Question
HyperV trying to do extended replica to external HDD
Replies
0
Views
251
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top