nasty outbound traffic to port 139

Hi,

(maybe accident)

after installing the new SMC WLAN Driver on my WIN2k Machine with WPA support i have tracked and blocked some nasty outbout traffic to dirffrent IPs
outside of europe (asia) to port 139...

can't really identify the process and used the following methods:

- Antivir XP -> clean
- Bitdefender 7.2 -> clean
- f-prot dos -> clean
- SpyBot -> clean

- Sysinternals, TCPView -> nothing extraordinary, except the new WLAN Procces

- rootkit revealer -> seems to crash (most of my visible files on partition g are hinden form windows api, while no messages form reg, c,d,f)
- blacklight -> clean

thx for any advice or method to identify whats going on!

 

How have you identified/blocked this traffic already?
Any logs of this traffic that you can post?
What firewalling/logging do you have in place?

Regards,

CrazyM

 

kerio 4.2.2 alerts the outbound traffic...but i can't post a log entry for now because i'm @work without access to this laptop...
I will post it after work (ca. GMT+1 18:00 Uhr )

in addition I have dicoverd, that the "threat" seems to discover inet access...

while I'am just connected to my wlan router without access to the inet, it seems that nothing appears...but if I'am connected to my vpn with inet access kerio periodically alerts


clients <wlan: subnet without inetaccess> smc wlanrouter <cable> linux router <inet>

 

hmm i have played around some time with my firewall and watching processes
but i cant identify the source/invoker of the connections...

Kerio just alerts an outgoing connection "Microsoft File and Printer Sharing" to
Port 139 / netbios-ssn. (i can invoke an identically alert with a manuell initiated filesharing connection)

scary but allways the same:

It starts with an connection attempt to
127.0.0.1:139 (blocked from kerio)
next connection attempt to different Ips in asia BUT ONLY if i have an inet connection...if NOT there is only an connection attempt to localhost.

Maybe there are some stealth connections (ICMP) which identify an connection and the visible alerts are just the rest

in addition:
prismsvr.exe form the SMC WLAN directory is the only process i don't realy trust, but it seems to be necessary wpa encryption?)

thx for help and greetings
mr. kartoffel

 

You mention being behind a router, do you have file/printer sharing enabled on the LAN systems? Do you have rules configured in Kerio for this?

Allowing NetBios/file printer sharing on the LAN is fine, but is not something you want going out to the Internet or permit inbound from the Internet.

Regards,

CrazyM

 

thx,
In addition I have blocked all forwarding traffic (135:139, 445) on my fw box for inet connections, but its just a holey patch for my bleeding system...

Besides I'am just one state before Hulk, because I have lost the control over one of my systems

greetings
mr. kartoffel