Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Netbios security question

Posted on 2004-04-27
13
169 Views
Last Modified: 2010-04-11
A server has been hacked.
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)

nbstat -s display info like this
FILESERVER     NOT-LOCAL-NAME    <20>     0B               0B
FILESERVER     FOREIGN-NAME        <20>     0B               0B

How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
0
Comment
Question by:rj2
13 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 10926929
are these connections listed in the netstat -a  listing?
0
 
LVL 10

Author Comment

by:rj2
ID: 10927288
yes. tcpview (from http://www.sysinternals.com) says that the connection is from system:2, same as the other netbios sessions.
0
 
LVL 10

Author Comment

by:rj2
ID: 10927511
netstat says e.g
TCP fileserver:nbsession     61.249.105.143:3330   CLOSE_WAIT

This connection should not be there.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 10

Author Comment

by:rj2
ID: 10927532
nbtstat -s says e.g.
FILESERVER
0
 
LVL 10

Author Comment

by:rj2
ID: 10927539
nbtstat -s says e.g.
FILESERVER     UNKNOWN-NAME      <20>        0B        0B
<20> is netbios code for server?
0
 
LVL 1

Expert Comment

by:aded
ID: 10927570
<20> is netbios code for file server ressource !
0
 
LVL 10

Author Comment

by:rj2
ID: 10927738
Yes, is that not strange?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10929332
if you can get them listed with netstat -a you can see what processes are using them?
0
 
LVL 10

Author Comment

by:rj2
ID: 10931094
netstat -a does not list which process does what.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
0
 
LVL 2

Expert Comment

by:dramatix01
ID: 10934335
The following URL is a link to the download page for a program called ActivePorts:

http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button

It is freeware.  It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process.  This is a GREAT piece of software.

Hope this helps!

Regards,
Dave...
0
 
LVL 10

Author Comment

by:rj2
ID: 10936761
I think I fixed this problem now, by removing and reinstalling all network protocols and services and reapplying all service packs and security fixes.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12328508
PAQed, with points refunded (500)

Computer101
E-E Admin
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Switch ports not working 8 52
Guest Wireless in a Business Environment 6 89
OSPF - Convergence & Downtime 9 26
Home firewall recommendations 11 42
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question