[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 174
  • Last Modified:

Netbios security question

A server has been hacked.
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)

nbstat -s display info like this
FILESERVER     NOT-LOCAL-NAME    <20>     0B               0B
FILESERVER     FOREIGN-NAME        <20>     0B               0B

How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
0
rj2
Asked:
rj2
1 Solution
 
Pete LongConsultantCommented:
are these connections listed in the netstat -a  listing?
0
 
rj2Author Commented:
yes. tcpview (from http://www.sysinternals.com) says that the connection is from system:2, same as the other netbios sessions.
0
 
rj2Author Commented:
netstat says e.g
TCP fileserver:nbsession     61.249.105.143:3330   CLOSE_WAIT

This connection should not be there.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
rj2Author Commented:
nbtstat -s says e.g.
FILESERVER
0
 
rj2Author Commented:
nbtstat -s says e.g.
FILESERVER     UNKNOWN-NAME      <20>        0B        0B
<20> is netbios code for server?
0
 
adedCommented:
<20> is netbios code for file server ressource !
0
 
rj2Author Commented:
Yes, is that not strange?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
0
 
Pete LongConsultantCommented:
if you can get them listed with netstat -a you can see what processes are using them?
0
 
rj2Author Commented:
netstat -a does not list which process does what.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
0
 
dramatix01Commented:
The following URL is a link to the download page for a program called ActivePorts:

http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button

It is freeware.  It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process.  This is a GREAT piece of software.

Hope this helps!

Regards,
Dave...
0
 
rj2Author Commented:
I think I fixed this problem now, by removing and reinstalling all network protocols and services and reapplying all service packs and security fixes.
0
 
Computer101Commented:
PAQed, with points refunded (500)

Computer101
E-E Admin
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now