Check to see if you have any system open to the internet on port 3389. Term services has a hole that I believe allows externals inside.
Danny -----Original Message----- From: Scheldebouw [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 1:29 AM To: [EMAIL PROTECTED] Subject: [gb-users] [ot] Strange outgoing connections to TCP port 139. I have a Windows 2000 server here (SP4 IE6sp1 all Windows updates) that is trying to connect to a random 133.x.x.x or 132.x.x.x on TCP port 139 three times, exactly every ten minutes. Those 133 and 132 addresses are not used by us and seem totally random (universities, military sites, large companies, providers in Japan and Mexico ect.). I checked the machine with three different anti virus tools and AdAware and even completely rebuild the machine once (format/re-install). This machine is used as a http proxy (MIMESweeper for WEB 5.0.4) with only three other tools installed on it: NetTime 2b7 (NTP tool syncing to internal timeservers), RealVNC 3.3.6 (a remotecontrol tool for internal usage) and Powerchute Network Shutdown 2.2 (for communication with the APC UPS). The machine has only access to ports 21, 80 and 443 and accepts no incoming connections. The outgoing connections to port 139 are initiated by the 'system' service (according to tcpview). This is the only machine of around 200 machines that is showing this behaviour. Anyone any idea? Please? Please see the log below (195.109.48.216 is the address of our server): Apr 20 17:12:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:12:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:12:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1321 dst=133.146.110.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:22:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:22:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:22:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1328 dst=133.132.108.200 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:32:37 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:32:40 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 Apr 20 17:32:47 pri=4 flt_type=OBF flt_action=block msg="Block OBF (20)" rule=20 proto=139/tcp src=195.109.48.216 srcport=1335 dst=133.134.190.8 dstport=139 interface=fxp0 attribute="alarm,email" flags=0x2 ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
