Solved

Netbios security question

Posted on 2004-04-27
13
171 Views
Last Modified: 2010-04-11
A server has been hacked.
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)

nbstat -s display info like this
FILESERVER     NOT-LOCAL-NAME    <20>     0B               0B
FILESERVER     FOREIGN-NAME        <20>     0B               0B

How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
0
Comment
Question by:rj2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 10926929
are these connections listed in the netstat -a  listing?
0
 
LVL 10

Author Comment

by:rj2
ID: 10927288
yes. tcpview (from http://www.sysinternals.com) says that the connection is from system:2, same as the other netbios sessions.
0
 
LVL 10

Author Comment

by:rj2
ID: 10927511
netstat says e.g
TCP fileserver:nbsession     61.249.105.143:3330   CLOSE_WAIT

This connection should not be there.
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 10

Author Comment

by:rj2
ID: 10927532
nbtstat -s says e.g.
FILESERVER
0
 
LVL 10

Author Comment

by:rj2
ID: 10927539
nbtstat -s says e.g.
FILESERVER     UNKNOWN-NAME      <20>        0B        0B
<20> is netbios code for server?
0
 
LVL 1

Expert Comment

by:aded
ID: 10927570
<20> is netbios code for file server ressource !
0
 
LVL 10

Author Comment

by:rj2
ID: 10927738
Yes, is that not strange?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10929332
if you can get them listed with netstat -a you can see what processes are using them?
0
 
LVL 10

Author Comment

by:rj2
ID: 10931094
netstat -a does not list which process does what.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
0
 
LVL 2

Expert Comment

by:dramatix01
ID: 10934335
The following URL is a link to the download page for a program called ActivePorts:

http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button

It is freeware.  It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process.  This is a GREAT piece of software.

Hope this helps!

Regards,
Dave...
0
 
LVL 10

Author Comment

by:rj2
ID: 10936761
I think I fixed this problem now, by removing and reinstalling all network protocols and services and reapplying all service packs and security fixes.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12328508
PAQed, with points refunded (500)

Computer101
E-E Admin
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question