rj2
asked on
Netbios security question
A server has been hacked.
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)
nbstat -s display info like this
FILESERVER NOT-LOCAL-NAME <20> 0B 0B
FILESERVER FOREIGN-NAME <20> 0B 0B
How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)
nbstat -s display info like this
FILESERVER NOT-LOCAL-NAME <20> 0B 0B
FILESERVER FOREIGN-NAME <20> 0B 0B
How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
are these connections listed in the netstat -a listing?
ASKER
yes. tcpview (from http://www.sysinternals.com) says that the connection is from system:2, same as the other netbios sessions.
ASKER
netstat says e.g
TCP fileserver:nbsession 61.249.105.143:3330 CLOSE_WAIT
This connection should not be there.
TCP fileserver:nbsession 61.249.105.143:3330 CLOSE_WAIT
This connection should not be there.
ASKER
nbtstat -s says e.g.
FILESERVER
FILESERVER
ASKER
nbtstat -s says e.g.
FILESERVER UNKNOWN-NAME <20> 0B 0B
<20> is netbios code for server?
FILESERVER UNKNOWN-NAME <20> 0B 0B
<20> is netbios code for server?
<20> is netbios code for file server ressource !
ASKER
Yes, is that not strange?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
if you can get them listed with netstat -a you can see what processes are using them?
ASKER
netstat -a does not list which process does what.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
The following URL is a link to the download page for a program called ActivePorts:
http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button
It is freeware. It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process. This is a GREAT piece of software.
Hope this helps!
Regards,
Dave...
http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button
It is freeware. It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process. This is a GREAT piece of software.
Hope this helps!
Regards,
Dave...
ASKER
I think I fixed this problem now, by removing and reinstalling all network protocols and services and reapplying all service packs and security fixes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.