Solved

Port 138 UDP connects

Posted on 2004-10-22
758 Views
Last Modified: 2013-12-04
Cant seem to find out why my XP pro pc is making random attempts to connect to other pcs on port 138.
Its not continuous only every 15-20 minutes and all random ips on the same network ..
It looks very suspicious but cant seem to isolate it..

Below is a snort output, hijack and ethereal..

thx

John




[**] [117:1:1]  <\Device\NPF_{AB5EA584-89FF-43D2-A344-24F369206C43}> (spp_portscan2) Portscan detected from 10.12.2.63: 6 targets 6 ports in 0 seconds [**]
10/22-14:28:05.912402 0:D:60:8B:4:E4 -> 0:1:96:DB:70:E1 type:0x800 len:0x11B
10.12.2.63:138 -> 10.2.4.10:138 UDP TTL:32 TOS:0x0 ID:5560 IpLen:20 DgmLen:269
Len: 241

[**] [117:1:1]  <\Device\NPF_{AB5EA584-89FF-43D2-A344-24F369206C43}> (spp_portscan2) Portscan detected from 10.12.2.63: 21 targets 21 ports in 0 seconds [**]
10/22-14:28:05.916050 0:D:60:8B:4:E4 -> 0:1:96:DB:70:E1 type:0x800 len:0x11B
10.12.2.63:138 -> 10.2.6.138:138 UDP TTL:32 TOS:0x0 ID:5575 IpLen:20 DgmLen:269
Len: 241


Logfile of HijackThis v1.98.2
Scan saved at 2:41:10 PM, on 10/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\ppRemoteService.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Common Files\PestPatrol\PPMCActiveDetection.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\IDScenter\idscenter.exe
C:\Snort\bin\snort.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ethereal\ethereal.exe
C:\Program Files\Ethereal\ethereal.exe
C:\Documents and Settings\jmerg\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.12.1.1:80
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [secureclient] c:\scripts\securestop.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://10.12.4.20/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - http://10.12.4.20/officescan/clientinstall/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://10.12.4.20/officescan/clientinstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF4810FE-6734-4C78-85B4-478AC617BB14}: NameServer = 192.168.2.100
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll


000  00 01 96 db 70 e1 00 0d  60 8b 04 e4 08 00 45 00   ....p... `.....E.
0010  01 0d 1d 7e 00 00 20 11  62 0c 0a 0c 02 3f 0a 0a   ...~.. . b....?..
0020  04 02 00 8a 00 8a 00 f9  2a 95 11 0e 80 4b 0a 0c   ........ *....K..
0030  02 3f 00 8a 00 e3 00 00  20 45 4f 45 43 46 45 45   .?......  EOECFEE
0040  50 46 43 45 4b 45 4e 45  46 46 43 45 48 43 41 43   PFCEKENE FFCEHCAC
0050  41 43 41 43 41 43 41 41  41 00 20 45 4b 45 4a 46   ACACACAA A. EKEJF
0060  44 45 44 45 42 45 4f 43  41 43 41 43 41 43 41 43   DEDEBEOC ACACACAC
0070  41 43 41 43 41 43 41 43  41 42 4d 00 ff 53 4d 42   ACACACAC ABM..SMB
0080  25 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   %....... ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 11 00 00 43   ........ .......C
00a0  00 00 00 00 00 00 00 00  00 e8 03 00 00 00 00 00   ........ ........
00b0  00 00 00 43 00 5c 00 03  00 01 00 01 00 02 00 5a   ...C.\.. .......Z
00c0  00 5c 4d 41 49 4c 53 4c  4f 54 5c 4e 45 54 5c 4e   .\MAILSL OT\NET\N
00d0  45 54 4c 4f 47 4f 4e 00  12 00 00 00 4e 00 42 00   ETLOGON. ....N.B.
00e0  54 00 4f 00 52 00 4a 00  4d 00 45 00 52 00 47 00   T.O.R.J. M.E.R.G.
00f0  00 00 00 00 5c 4d 41 49  4c 53 4c 4f 54 5c 4e 45   ....\MAI LSLOT\NE
0100  54 5c 47 45 54 44 43 30  34 32 00 00 00 00 00 00   T\GETDC0 42......
0110  00 00 00 0b 00 00 00 ff  ff ff ff                  ........ ...    

0
Question by:jmergulhao
    5 Comments
     
    LVL 2

    Assisted Solution

    by:ChrisDrake
    what's your PCs IP?
    Are you scanning incoming UDPs to it?  It might just be replying to incoming crap, and not really originating stuff of it's own accord...

    methinks that's windows networking stuff, that port?
    0
     
    LVL 11

    Assisted Solution

    by:mwnnj
    the udp port 138 is for NetBIOS ,you can read the article:
    http://www.grc.com/port_138.htm
    So,if you want ,then go to network=>settings=>internetprotocol(TCP/IP)=>properties=>advanced and in the WINS setting match disable NETBIOS over TCP/IP,that could help.
    In your firewall you can make a rule disabling the netbios(137,138,139and 445) if this doesn't harm your internet connection.Just try!
    regarding your Hijack This log:
    are you aware of  theese:
    C:\WINDOWS\system32\TpKmpSVC.exe
    O4 - HKLM\..\Run: [secureclient] c:\scripts\securestop.exe

    0
     

    Author Comment

    by:jmergulhao
    ChrisDrake,

    my ip is 10.12.2.63.

    I do agree that it looks like windows standard traffic but im concerned why this workstation is making so many 'SAM NETWORK LOGON REQUEST' for different ip addresses and getting 'SAM RESPONSE- user unknown' from all the BDC's and PDC.

    Iam monintering all all in and out traffic for this ip address and i dont see any requests coming in from the other ip addresses..



    0
     
    LVL 2

    Accepted Solution

    by:

    To check for problems with this workstation do this:

    1. Disable NetBios on this workstation.
    2. Check for all open ports on this machine
    3. Run a Spyware and a virus check

    Once all this is done re-enable NetBios Only if needed.
    Put a firewall on this machine and restrict only to needed Ports

    The netbios requests would go if you have some files shared or you have a network map. Remember that in NETBIOS it is a broadcast to learn the machine that  it needs to communicate. so it might be that it's still looking for a machine that it accessed or trying to access. It is normal for a machine that has folders/printers shared to do NETBios requests.

    But if you have spyware or virus it should have been cleaned with the obove mentioned checks.
    0
     

    Author Comment

    by:jmergulhao
    Thx for all your tips and answers..

    Im satisfied that its normal NT traffic..

    thx

    John
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now