I bet the scans of ports 137 (NetBIOS Name) and 139 (NetBIOS session) happen all the time and aren't related. Most Internet-connected hosts are being scanned for these ports being open on a regular basis. File sharing uses them and if someone has file sharing open a hacker can do mischeif.
Good luck with the troubleshooting. This is a good one. I'm still betting on some IDS or firewall or proxy server. Have you considered personal firewall/anti-virus software on the affected stations as a possibility too? Priscilla Charles Riley wrote: > > Thanks to all who have responded and requested more > information. Below is a > more embellished picture: > > > "Internet"-----BIG_ROUTER-----FR-----2500----HUB---AS5300-------D/U Users > > We are the ISP, in this case, which is why I can say no content > filtering is > occuring. We have several of these small POPs in the region, > all of the > going to BIG_ROUTER at a central location. BIG_ROUTER and its > trusty > configuration are not suspects at this point because the other > POPs > connected to it have no problem. In fact, if users dial into > the POPs of > nearby towns, they do not have this problem. This problem was > brought to my > attention about a week before the slammer attacks occured. > > The downloads are via HTTP and FTP; the results are the same. > The problems > occur with any server on the Internet. This morning, an user > just informed > that he can no longer download .img files. He also told that > he logs attack > traffic, and is seeing alot of scans and attempts against ports > 137 (and > sometimes 139) on his box. > > I don't think our FR provider is the problem since FR stops at > Layer 2 and > won't/can't distinguish between .zip and .gz files. I am > thinking that > perhaps there is a workstation or server connected to the hub > that may be > proxying or intercepting .zip and .exe requests? Sam's > suggestion of > sniffing is a good one, and will be probably be my next step as > it's been a > while since this POP LAN had its health checked. > > Troubleshooting continues! > > Charles > > > > ""Priscilla Oppenheimer"" wrote in > message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Consider your OSI layers. :-) A hub problem is very unlikely > to cause such > > an issue. A generic router wouldn't either. This definitely > seems like a > > Layer 7 problem. > > > > Someone is filtering on .exe and .zip. They just weren't > smart enough to > > think about the UNIX and Mac equivalents. This could be an > Intrustion > > Detection System or some sort of smart firewall. > > > > How are they downloading these? E-mail attachments maybe? Not > letting > users > > download .exe files via e-mail attachments might make a lot > of sense as an > > e-mail server configuration. > > > > Anyway, start looking at Layer 7 and above (politics, > policies). Question > > your Internet provider! > > > > Priscilla > > > > Charles Riley wrote: > > > > > > Sorry, should have mentioned. I get the same result whether > > > the user system > > > is UNIX, Mac, or Windows...it plays havoc with .exe and > .zip. > > > > > > That is a good suggestion, though, about the sniffer...that > is > > > about the > > > only thing I haven't tried yet. The Kmart bluelight special > > > hub is making > > > me a little suspicious... > > > > > > Thanks, > > > > > > Charles > > > > > > ""Sam Sneed"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > load a packet sniffer on the laptop and see what really > > > happens. If you > > > > don't have one I know of a good free one . You install > > > libpcap first, > > > reboot > > > > and then install analyzer. > > > > > > > > http://winpcap.polito.it/install/default.htm > > > > http://analyzer.polito.it/install/default.htm > > > > > > > > Then you can see if the packets are coming back to you > and if > > > windows is > > > > dropping them for some reason. > > > > > > > > ""Charles Riley"" wrote in message > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > I ran across a strange problem with one of our POPs the > > > other day, and > > > am > > > > in > > > > > the process of researching/troubleshooting it. We have > a > > > configuration > > > > > something like this: > > > > > > > > > > > > > > > "Internet"-------2500-------AS5300-------D/U > Users > > > > > > > > > > Not shown is a LAN connected to the 2nd Ethernet on the > > > 2500. All > > > > > connections to the shared Ethernet are via a Kmart > > > bluelight special > > > hub. > > > > > The connection to the Internet is a T-1 FR. Neither the > > > 2500 nor the T-1 > > > > is > > > > > anywhere close to being overloaded. > > > > > > > > > > We are not doing any content filtering, nor have any > access > > > lists been > > > > > applied, nor are any sites blocked. > > > > > > > > > > The connection works great...email, web browsing, etc. > all > > > work just > > > > fine. > > > > > The only problem is that users can only download UNIX > and > > > Mac flavored > > > > > files, but not anything that smacks of Windows. For > > > example, they can > > > > down > > > > > the .gz/tar and .sft files for a SSH client for example, > > > but can not > > > > > download its .exe or .zip counterpart for Windows! Take > > > the same .exe > > > and > > > > > .zip file, and rename it with a UNIX or Mac filename > > > extension, and you > > > > can > > > > > download it. > > > > > > > > > > Surprisingly enough, the problem does not lie with the > > > users. I took a > > > > > "clean" laptop to the site, and encountered the same > > > results. > > > > > > > > > > Has anyone ever experienced a problem like this? Could > > > this be a bug in > > > > the > > > > > IOS on the 2500? Any suggestions would be welcome. > > > > > > > > > > > > > > > TIA, > > > > > > > > > > Charles > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62200&t=62184 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
