I have a Windows 2000 server here (SP4 IE6sp1 all Windows updates) that is trying to connect to a random 133.x.x.x or 132.x.x.x on TCP port 139 three times, exactly every ten minutes. Those 133 and 132 addresses are not used by us and seem totally random (universities, military sites, large companies, providers in Japan and Mexico ect.). I checked the machine with three different anti virus tools and AdAware and even completely rebuild the machine once (format/re-install). This machine is used as a http proxy (MIMESweeper for WEB 5.0.4) with only three other tools installed on it: NetTime 2b7 (NTP tool syncing to internal timeservers), RealVNC 3.3.6 (a remotecontrol tool for internal usage) and Powerchute Network Shutdown 2.2 (for communication with the APC UPS).
The machine has only access to ports 21, 80 and 443 and accepts no incoming connections. The outgoing connections to port 139 are initiated by the 'system' service (according to tcpview).
This is the only machine of around 200 machines that is showing this behaviour.


Anyone any idea? Please?

Please see the log below (195.109.48.216 is the address of our server):
Apr 20 17:12:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:12:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:12:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2


Apr 20 17:22:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:22:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:22:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2


Apr 20 17:32:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:32:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2
Apr 20 17:32:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2


------------------------------------------------------
To unsubscribe:           [EMAIL PROTECTED]
For additional commands:         [EMAIL PROTECTED]
Archive:  http://archives.gnatbox.com/gb-users/



Reply via email to