Netbios security question

A server has been hacked.
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)

nbstat -s display info like this
FILESERVER     NOT-LOCAL-NAME    <20>     0B               0B
FILESERVER     FOREIGN-NAME        <20>     0B               0B

How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
LVL 10
rj2Asked:
Who is Participating?
 
Computer101Connect With a Mentor Commented:
PAQed, with points refunded (500)

Computer101
E-E Admin
0
 
Pete LongTechnical ConsultantCommented:
are these connections listed in the netstat -a  listing?
0
 
rj2Author Commented:
yes. tcpview (from http://www.sysinternals.com) says that the connection is from system:2, same as the other netbios sessions.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
rj2Author Commented:
netstat says e.g
TCP fileserver:nbsession     61.249.105.143:3330   CLOSE_WAIT

This connection should not be there.
0
 
rj2Author Commented:
nbtstat -s says e.g.
FILESERVER
0
 
rj2Author Commented:
nbtstat -s says e.g.
FILESERVER     UNKNOWN-NAME      <20>        0B        0B
<20> is netbios code for server?
0
 
adedCommented:
<20> is netbios code for file server ressource !
0
 
rj2Author Commented:
Yes, is that not strange?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
0
 
Pete LongTechnical ConsultantCommented:
if you can get them listed with netstat -a you can see what processes are using them?
0
 
rj2Author Commented:
netstat -a does not list which process does what.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
0
 
dramatix01Commented:
The following URL is a link to the download page for a program called ActivePorts:

http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button

It is freeware.  It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process.  This is a GREAT piece of software.

Hope this helps!

Regards,
Dave...
0
 
rj2Author Commented:
I think I fixed this problem now, by removing and reinstalling all network protocols and services and reapplying all service packs and security fixes.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.