On 1 Mar 2006 16:33:04 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Also, > I ran Procexp (Sysinternals) and tcpview (sysinternals)and th eprocess was > 'system process' >
Ok I have seen something like this before. In our case we got the following from a box that was a fresh install and patched version of 2003. The systems showed that it was a system process that pops this out. It will open a connection to 137, 139 randomlly between B class addresses (128.1.0.1 -> 191.255.255.255) with the most between 132.0.0.0->138.0.0.0. Setting up a honeypot that would answer to anything on the wire basically got a very standard 137, 139 discovery packet. Once a box on the wire answered, the box would calm down and only peep every now and then. No unknown data was sent from the box other than these packets. Box seemed to need a B class address for this to occur. Microsoft didnt know what could cause this. Reloading the box with the same patch sets would make it go away. I didnt have much to see about this other than the above. [I do not know what registry entries etc were turned on/off.. ] -- Stephen J Smoogen. CSIRT/Linux System Administrator
