jmergulhao
asked on
Port 138 UDP connects
Cant seem to find out why my XP pro pc is making random attempts to connect to other pcs on port 138.
Its not continuous only every 15-20 minutes and all random ips on the same network ..
It looks very suspicious but cant seem to isolate it..
Below is a snort output, hijack and ethereal..
thx
John
[**] [117:1:1] <\Device\NPF_{AB5EA584-89F F-43D2-A34 4-24F36920 6C43}> (spp_portscan2) Portscan detected from 10.12.2.63: 6 targets 6 ports in 0 seconds [**]
10/22-14:28:05.912402 0:D:60:8B:4:E4 -> 0:1:96:DB:70:E1 type:0x800 len:0x11B
10.12.2.63:138 -> 10.2.4.10:138 UDP TTL:32 TOS:0x0 ID:5560 IpLen:20 DgmLen:269
Len: 241
[**] [117:1:1] <\Device\NPF_{AB5EA584-89F F-43D2-A34 4-24F36920 6C43}> (spp_portscan2) Portscan detected from 10.12.2.63: 21 targets 21 ports in 0 seconds [**]
10/22-14:28:05.916050 0:D:60:8B:4:E4 -> 0:1:96:DB:70:E1 type:0x800 len:0x11B
10.12.2.63:138 -> 10.2.6.138:138 UDP TTL:32 TOS:0x0 ID:5575 IpLen:20 DgmLen:269
Len: 241
Logfile of HijackThis v1.98.2
Scan saved at 2:41:10 PM, on 10/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\ibmpms vc.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\S24EvM on.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\ppRemo teService. exe
C:\WINDOWS\System32\QCONSV C.EXE
C:\Program Files\Common Files\PestPatrol\PPMCActiv eDetection .exe
C:\WINDOWS\System32\RegSrv c.exe
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\System32\svchos t.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\TpKmpS VC.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMg r\HOTKEY\T PHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTK EY\TPONSCR .exe
C:\Program Files\ThinkPad\PkgMgr\HOTK EY_1\TpScr ex.exe
C:\Program Files\ThinkPad\ConnectUtil ities\QCWL ICON.EXE
C:\WINDOWS\system32\RunDll 32.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\PROGRA~1\PESTPA~1\PPCon trol.exe
C:\PROGRA~1\PESTPA~1\PPMem Check.exe
C:\PROGRA~1\PESTPA~1\Cooki ePatrol.ex e
C:\WINDOWS\System32\LVCOMS X.EXE
C:\Program Files\Logitech\Video\LogiT ray.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
C:\PROGRA~1\ThinkPad\CONNE C~1\QCTray .exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Video\FxSvr 2.exe
C:\Program Files\IDScenter\idscenter. exe
C:\Snort\bin\snort.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\ MAPISP32.E XE
C:\WINDOWS\system32\cmd.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ethereal\ethereal.ex e
C:\Program Files\Ethereal\ethereal.ex e
C:\Documents and Settings\jmerg\My Documents\hijackthis\Hijac kThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 10.12.1.1:80
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAg ent] rundll32.exe irprops.cpl,,BluetoothAuth entication Agent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMg r\HOTKEY\T PHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B MMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T pKmapAp.ex e -helper
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtil ities\QCWL ICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI T~1\pwrmon it.dll,Sta rtPwrMonit or
O4 - HKLM\..\Run: [secureclient] c:\scripts\securestop.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPCon trol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMem Check.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\Cooki ePatrol.ex e
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMS X.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISSta rt.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiT ray.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNE C~1\QCTray .exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {00134F72-5284-44F7-95A8-5 2A619F7075 1} (ObjWinNTCheck Class) - http://10.12.4.20/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0 080C859833 B} - http://10.12.4.20/officescan/clientinstall/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0 080C859833 B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://10.12.4.20/officescan/clientinstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{A F4810FE-67 34-4C78-85 B4-478AC61 7BB14}: NameServer = 192.168.2.100
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0 0C04F8EC29 4} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
000 00 01 96 db 70 e1 00 0d 60 8b 04 e4 08 00 45 00 ....p... `.....E.
0010 01 0d 1d 7e 00 00 20 11 62 0c 0a 0c 02 3f 0a 0a ...~.. . b....?..
0020 04 02 00 8a 00 8a 00 f9 2a 95 11 0e 80 4b 0a 0c ........ *....K..
0030 02 3f 00 8a 00 e3 00 00 20 45 4f 45 43 46 45 45 .?...... EOECFEE
0040 50 46 43 45 4b 45 4e 45 46 46 43 45 48 43 41 43 PFCEKENE FFCEHCAC
0050 41 43 41 43 41 43 41 41 41 00 20 45 4b 45 4a 46 ACACACAA A. EKEJF
0060 44 45 44 45 42 45 4f 43 41 43 41 43 41 43 41 43 DEDEBEOC ACACACAC
0070 41 43 41 43 41 43 41 43 41 42 4d 00 ff 53 4d 42 ACACACAC ABM..SMB
0080 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 %....... ........
0090 00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 43 ........ .......C
00a0 00 00 00 00 00 00 00 00 00 e8 03 00 00 00 00 00 ........ ........
00b0 00 00 00 43 00 5c 00 03 00 01 00 01 00 02 00 5a ...C.\.. .......Z
00c0 00 5c 4d 41 49 4c 53 4c 4f 54 5c 4e 45 54 5c 4e .\MAILSL OT\NET\N
00d0 45 54 4c 4f 47 4f 4e 00 12 00 00 00 4e 00 42 00 ETLOGON. ....N.B.
00e0 54 00 4f 00 52 00 4a 00 4d 00 45 00 52 00 47 00 T.O.R.J. M.E.R.G.
00f0 00 00 00 00 5c 4d 41 49 4c 53 4c 4f 54 5c 4e 45 ....\MAI LSLOT\NE
0100 54 5c 47 45 54 44 43 30 34 32 00 00 00 00 00 00 T\GETDC0 42......
0110 00 00 00 0b 00 00 00 ff ff ff ff ........ ...
Its not continuous only every 15-20 minutes and all random ips on the same network ..
It looks very suspicious but cant seem to isolate it..
Below is a snort output, hijack and ethereal..
thx
John
[**] [117:1:1] <\Device\NPF_{AB5EA584-89F
10/22-14:28:05.912402 0:D:60:8B:4:E4 -> 0:1:96:DB:70:E1 type:0x800 len:0x11B
10.12.2.63:138 -> 10.2.4.10:138 UDP TTL:32 TOS:0x0 ID:5560 IpLen:20 DgmLen:269
Len: 241
[**] [117:1:1] <\Device\NPF_{AB5EA584-89F
10/22-14:28:05.916050 0:D:60:8B:4:E4 -> 0:1:96:DB:70:E1 type:0x800 len:0x11B
10.12.2.63:138 -> 10.2.6.138:138 UDP TTL:32 TOS:0x0 ID:5575 IpLen:20 DgmLen:269
Len: 241
Logfile of HijackThis v1.98.2
Scan saved at 2:41:10 PM, on 10/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\ibmpms
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\S24EvM
C:\WINDOWS\system32\spools
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\ppRemo
C:\WINDOWS\System32\QCONSV
C:\Program Files\Common Files\PestPatrol\PPMCActiv
C:\WINDOWS\System32\RegSrv
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\TpKmpS
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMg
C:\Program Files\ThinkPad\PkgMgr\HOTK
C:\Program Files\ThinkPad\PkgMgr\HOTK
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\system32\RunDll
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\PROGRA~1\PESTPA~1\PPCon
C:\PROGRA~1\PESTPA~1\PPMem
C:\PROGRA~1\PESTPA~1\Cooki
C:\WINDOWS\System32\LVCOMS
C:\Program Files\Logitech\Video\LogiT
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\PROGRA~1\ThinkPad\CONNE
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Video\FxSvr
C:\Program Files\IDScenter\idscenter.
C:\Snort\bin\snort.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\
C:\WINDOWS\system32\cmd.ex
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ethereal\ethereal.ex
C:\Program Files\Ethereal\ethereal.ex
C:\Documents and Settings\jmerg\My Documents\hijackthis\Hijac
R0 - HKCU\Software\Microsoft\In
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAg
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMg
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [secureclient] c:\scripts\securestop.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPCon
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMem
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\Cooki
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMS
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISSta
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiT
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNE
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0
000 00 01 96 db 70 e1 00 0d 60 8b 04 e4 08 00 45 00 ....p... `.....E.
0010 01 0d 1d 7e 00 00 20 11 62 0c 0a 0c 02 3f 0a 0a ...~.. . b....?..
0020 04 02 00 8a 00 8a 00 f9 2a 95 11 0e 80 4b 0a 0c ........ *....K..
0030 02 3f 00 8a 00 e3 00 00 20 45 4f 45 43 46 45 45 .?...... EOECFEE
0040 50 46 43 45 4b 45 4e 45 46 46 43 45 48 43 41 43 PFCEKENE FFCEHCAC
0050 41 43 41 43 41 43 41 41 41 00 20 45 4b 45 4a 46 ACACACAA A. EKEJF
0060 44 45 44 45 42 45 4f 43 41 43 41 43 41 43 41 43 DEDEBEOC ACACACAC
0070 41 43 41 43 41 43 41 43 41 42 4d 00 ff 53 4d 42 ACACACAC ABM..SMB
0080 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 %....... ........
0090 00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 43 ........ .......C
00a0 00 00 00 00 00 00 00 00 00 e8 03 00 00 00 00 00 ........ ........
00b0 00 00 00 43 00 5c 00 03 00 01 00 01 00 02 00 5a ...C.\.. .......Z
00c0 00 5c 4d 41 49 4c 53 4c 4f 54 5c 4e 45 54 5c 4e .\MAILSL OT\NET\N
00d0 45 54 4c 4f 47 4f 4e 00 12 00 00 00 4e 00 42 00 ETLOGON. ....N.B.
00e0 54 00 4f 00 52 00 4a 00 4d 00 45 00 52 00 47 00 T.O.R.J. M.E.R.G.
00f0 00 00 00 00 5c 4d 41 49 4c 53 4c 4f 54 5c 4e 45 ....\MAI LSLOT\NE
0100 54 5c 47 45 54 44 43 30 34 32 00 00 00 00 00 00 T\GETDC0 42......
0110 00 00 00 0b 00 00 00 ff ff ff ff ........ ...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thx for all your tips and answers..
Im satisfied that its normal NT traffic..
thx
John
Im satisfied that its normal NT traffic..
thx
John
ASKER
my ip is 10.12.2.63.
I do agree that it looks like windows standard traffic but im concerned why this workstation is making so many 'SAM NETWORK LOGON REQUEST' for different ip addresses and getting 'SAM RESPONSE- user unknown' from all the BDC's and PDC.
Iam monintering all all in and out traffic for this ip address and i dont see any requests coming in from the other ip addresses..