to [EMAIL PROTECTED] : the sniffer that i has was only logging the headers and not the actual data ... so i cannot help you there, now have configured it to log all such traffic, will come back if i manage to capture any packet data
also the [EMAIL PROTECTED] netcat idea is good as suggested but i am already using ethereal so i will be able to have exactly what we are looking for ... and i agree with the [EMAIL PROTECTED] saying that this might a virus like on port 4444 from a whole list of them. [EMAIL PROTECTED], some version of W32.Blaster.Worm: ok but since i am already patched 039 patch even then there are attempts to connect to port 4444, i thought that after 139 vertor failed there was no 4444 connect attempt... [EMAIL PROTECTED]: this traffic is comming from the internet and this machine is on a public internet ip. and machine is protected by firewalls like kerio and sygate along with netbios and other carp disconnected from the public ip [EMAIL PROTECTED]: this is port 139 ( confirmed again ) .... and not port 135 and the initial connect attempt on port 139 is attack vertor. this used to occur only when i used to bring down sygate firewall... there are other firewalls that prevent the comprmise and the sinffer is capturing the data.... thanks for the answers, will get back to the list when i have any packet data captured with other details also like the machine name / ip and period of connections and frequency. - this raised my suspicions because the frequency of the connect attempts on port 139 followed by multiple attempts on port 4444 thanks guys once again. -aditya ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
