[gb-users] [ot] Strange outgoing connections to TCP port 139.

[Scheldebouw]

I have a Windows 2000 server here (SP4 IE6sp1 all Windows updates) that is 
trying to connect to a random 133.x.x.x or 132.x.x.x on TCP port 139 three 
times, exactly every ten minutes. Those 133 and 132 addresses are not used 
by us and seem totally random (universities, military sites, large 
companies, providers in Japan and Mexico ect.). I checked the machine with 
three different anti virus tools and AdAware and even completely rebuild 
the machine once (format/re-install). This machine is used as a http proxy 
(MIMESweeper for WEB 5.0.4) with only three other tools installed on it: 
NetTime 2b7 (NTP tool syncing to internal timeservers), RealVNC 3.3.6 (a 
remotecontrol tool for internal usage) and Powerchute Network Shutdown 2.2 
(for communication with the APC UPS).
The machine has only access to ports 21, 80 and 443 and accepts no incoming 
connections. The outgoing connections to port 139 are initiated by the 
'system' service (according to tcpview).
This is the only machine of around 200 machines that is showing this behaviour.

Anyone any idea? Please?

Please see the log below (195.109.48.216 is the address of our server):
Apr 20 17:12:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:12:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:12:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2

Apr 20 17:22:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:22:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:22:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2

Apr 20 17:32:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:32:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:32:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" 
rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 
dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2

------------------------------------------------------
To unsubscribe:           [EMAIL PROTECTED]
For additional commands:         [EMAIL PROTECTED]
Archive:  http://archives.gnatbox.com/gb-users/