Well I have received a few people all exhibiting this, and say it can occur from a fresh-install, currently patched, no internet connection. I suggest we investigate more, honeypot, full diff, etc. Anyone interested in helping?
On 3/2/06, LE Backup <[EMAIL PROTECTED]> wrote: > Sorry for the oversimplification, but are you saying this is normal? > > Is there anyone from Microsoft that would care to comment on this? > > Cheers, > > James Friesen, CIO > > Lucretia Enterprises > "Our World Is Here..." > Info at lucretia dot ca > http://lucretia.ca > > > > -----Original Message----- > > From: Stephen J. Smoogen [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, March 01, 2006 12:35 PM > > To: [EMAIL PROTECTED] > > Cc: [email protected] > > Subject: Re: Strange Traffic to ports 139 and 137 from a > > machine with no data > > > > On 1 Mar 2006 16:33:04 -0000, [EMAIL PROTECTED] > > <[EMAIL PROTECTED]> wrote: > > > Also, > > > I ran Procexp (Sysinternals) and tcpview (sysinternals)and > > th eprocess was 'system process' > > > > > > > Ok I have seen something like this before. In our case we got > > the following from a box that was a fresh install and patched > > version of 2003. The systems showed that it was a system > > process that pops this out. It will open a connection to 137, > > 139 randomlly between B class addresses (128.1.0.1 -> > > 191.255.255.255) with the most between 132.0.0.0->138.0.0.0. > > Setting up a honeypot that would answer to anything on the > > wire basically got a very standard 137, 139 discovery packet. > > Once a box on the wire answered, the box would calm down and > > only peep every now and then. No unknown data was sent from > > the box other than these packets. Box seemed to need a B > > class address for this to occur. > > > > Microsoft didnt know what could cause this. Reloading the box > > with the same patch sets would make it go away. I didnt have > > much to see about this other than the above. [I do not know > > what registry entries etc were turned on/off.. ] > > > > > > -- > > Stephen J Smoogen. > > CSIRT/Linux System Administrator > > > > _____ > > avast! Antivirus <http://www.avast.com> : Outbound message clean. > > > Virus Database (VPS): 0609-1, 03/01/2006 > Tested on: 3/2/2006 7:29:13 AM > avast! - copyright (c) 1988-2005 ALWIL Software. > > > > >
