Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Netbios security question

Posted on 2004-04-27
13
Medium Priority
?
173 Views
Last Modified: 2010-04-11
A server has been hacked.
Now "nbtstat -s" displays connections that should not be there.
I believe these connections must come from server and out because firewall only allow incoming connections on port 80 (not 139)

nbstat -s display info like this
FILESERVER     NOT-LOCAL-NAME    <20>     0B               0B
FILESERVER     FOREIGN-NAME        <20>     0B               0B

How can I find and remove what makes these connections?
Must I reinstall NT to get rid of them, or are there any other options?
0
Comment
Question by:rj2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 10926929
are these connections listed in the netstat -a  listing?
0
 
LVL 10

Author Comment

by:rj2
ID: 10927288
yes. tcpview (from http://www.sysinternals.com) says that the connection is from system:2, same as the other netbios sessions.
0
 
LVL 10

Author Comment

by:rj2
ID: 10927511
netstat says e.g
TCP fileserver:nbsession     61.249.105.143:3330   CLOSE_WAIT

This connection should not be there.
0
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

 
LVL 10

Author Comment

by:rj2
ID: 10927532
nbtstat -s says e.g.
FILESERVER
0
 
LVL 10

Author Comment

by:rj2
ID: 10927539
nbtstat -s says e.g.
FILESERVER     UNKNOWN-NAME      <20>        0B        0B
<20> is netbios code for server?
0
 
LVL 1

Expert Comment

by:aded
ID: 10927570
<20> is netbios code for file server ressource !
0
 
LVL 10

Author Comment

by:rj2
ID: 10927738
Yes, is that not strange?
My server should not be connected to these file server resources, so why is it?
How can I find and remove these connections?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10929332
if you can get them listed with netstat -a you can see what processes are using them?
0
 
LVL 10

Author Comment

by:rj2
ID: 10931094
netstat -a does not list which process does what.
tcpview (from http://www.sysinternals.com) does that, but it only says "System:2", same as all the other local nbsessions.
0
 
LVL 2

Expert Comment

by:dramatix01
ID: 10934335
The following URL is a link to the download page for a program called ActivePorts:

http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button

It is freeware.  It will show you a list of all the active connections to your PC (similar to netstat -a, but a GUI version and it dynamically updates) and it also allows you to select and terminate a process.  This is a GREAT piece of software.

Hope this helps!

Regards,
Dave...
0
 
LVL 10

Author Comment

by:rj2
ID: 10936761
I think I fixed this problem now, by removing and reinstalling all network protocols and services and reapplying all service packs and security fixes.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12328508
PAQed, with points refunded (500)

Computer101
E-E Admin
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question