Just a thought - another [hoepfully remote] possibility...
try running Netstat -- BackOrifice can utilize ports normally reserved for
NetBIOS networking functions, such as:
137 (nbname)
138 (nbdatagram)
139 (nbsession)
and this use does not seem to interfere with network activity. If BO is running
on port 137, 138 or 139, and you perform a ' netstat -a ', you may see these
ports listed twice (on a machine with NetBIOS enabled), once for BO's UDP
activity and once for normal NetBIOS activity. Also, you need to be online when
you run Netstat (otherwise neither BO or NetBIOS will be squawking).
(I recall reading a web-based explanation of this phenomenon but, apologies to
the author, I do not recall the site)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Moss
Sent: Tuesday, January 11, 2000 5:16 PM
To: [EMAIL PROTECTED]
Subject: re: need advice regarding port 137
HI All,
I'm having trouble understanding some activity on one of our
firewalls
Starting today at 15:31 and going through till 15:39 every couple of
seconds a host tried to send packets to UDP port 137 from port 137.
anyone ever seen this before.
The box they are trying to connect to is a WinNT 4.0 sp6a running
Microsoft Proxy Server 2.0 wins is disabled on all external interfaces
Cheers
Andrew Moss
Integrity Treasury Solutions
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
