Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange traffic on port 139

Status
Not open for further replies.
mattmsudawg

mattmsudawg

IS-IT--Management
Mar 4, 2003
116
US
We are seeing traffic going outbound on port 139 (nbsession) to the private ip address 10.4.0.1. The traffic is only coming from our servers. We've run a full virus scan and used the rootkit revealer from sysinternals and have found nothing. I'm just looking for some ideas of what this could be.

Thanks.

Matt
 
Sort by date Sort by votes
That's NetBios traffic, is 10.4.0.1 anything on your server, such as a DHCP server?

Stu..

Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
Nothing internal. All of our ip's are 172.19.x.x. And what's strange is that it's only originating from the servers ... no workstations.
 
Upvote 0 Downvote
Since the 10.0.0.0 network is a private network, I doubt it a virus or spyware app. Do you have an connections to other companies ie business partners? it could be there server. If you do a traceroute to the 10.4.0.1 address where does it go? Do you have clients/users that remotely connect into your network?
 
Upvote 0 Downvote
We don't have anybody remotely connecting into our network so it couldn't be that. If I run a traceroute it get's to the last hop in our network and then dies. We're also not seeing anything coming back into our network from that ip address ... just traffic going out.
 
Upvote 0 Downvote
Is the traffic constant or appear timed, like every 10 or 15 minutes? If it appears timed, the only thing that comes to mind is a browse master election query.
 
Upvote 0 Downvote
The traffic is not constant in the sense of continuous streaming traffic. But there is no consistant pattern either.
 
Upvote 0 Downvote
So whatever is causing the server to sent traffic on pot 139 to 10.4.0.1 would be on the server. Since there is no VPN or dedicated circuit off your FW(or whatever your last hop is). What I would do is look at you servers, is there one that is just a basic build no apps installed on it that is behaving the same? If so, Look for any apps or scripts. For Example, we have a server that is a strict windows print server, so this would be the server I'd investigate on.
 
Upvote 0 Downvote
Download and install ethereal, capture the packets, examine them. This should give a better idea of exactly what's going on.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Upvote 0 Downvote
We ended up finding what was causing it. It was a logging appliance contacting all the servers. We ended up disabling netbios on the logging appliance.

Thanks for all the help!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
235
XLNTech1
XLNTech1
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
91
Russtoleum
Russtoleum
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
97
mcisar
mcisar

Part and Inventory Search

Sponsor

Back
Top