nasty outbound traffic to port 139

Discussion in 'malware problems & news' started by Mr. Kartoffel, Nov 7, 2005.

Thread Status:
Not open for further replies.
  1. Mr. Kartoffel

    Mr. Kartoffel Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    11
    Location:
    Germany
    Hi,

    (maybe accident)

    after installing the new SMC WLAN Driver on my WIN2k Machine with WPA support i have tracked and blocked some nasty outbout traffic to dirffrent IPs
    outside of europe (asia) to port 139...

    can't really identify the process and used the following methods:

    - Antivir XP -> clean
    - Bitdefender 7.2 -> clean
    - f-prot dos -> clean
    - SpyBot -> clean

    - Sysinternals, TCPView -> nothing extraordinary, except the new WLAN Procces

    - rootkit revealer -> seems to crash (most of my visible files on partition g are hinden form windows api, while no messages form reg, c,d,f)
    - blacklight -> clean

    thx for any advice or method to identify whats going on!
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    How have you identified/blocked this traffic already?
    Any logs of this traffic that you can post?
    What firewalling/logging do you have in place?

    Regards,

    CrazyM
     
  3. Mr. Kartoffel

    Mr. Kartoffel Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    11
    Location:
    Germany
    kerio 4.2.2 alerts the outbound traffic...but i can't post a log entry for now because i'm @work without access to this laptop...
    I will post it after work (ca. GMT+1 18:00 Uhr :D )

    in addition I have dicoverd, that the "threat" seems to discover inet access...

    while I'am just connected to my wlan router without access to the inet, it seems that nothing appears...but if I'am connected to my vpn with inet access kerio periodically alerts


    clients <wlan: subnet without inetaccess> smc wlanrouter <cable> linux router <inet>
     
  4. Mr. Kartoffel

    Mr. Kartoffel Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    11
    Location:
    Germany
    hmm i have played around some time with my firewall and watching processes
    but i cant identify the source/invoker of the connections...

    Kerio just alerts an outgoing connection "Microsoft File and Printer Sharing" to
    Port 139 / netbios-ssn. (i can invoke an identically alert with a manuell initiated filesharing connection)

    scary but allways the same:

    It starts with an connection attempt to
    127.0.0.1:139 (blocked from kerio)
    next connection attempt to different Ips in asia BUT ONLY if i have an inet connection...if NOT there is only an connection attempt to localhost.

    Maybe there are some stealth connections (ICMP) which identify an connection and the visible alerts are just the rest

    in addition:
    prismsvr.exe form the SMC WLAN directory is the only process i don't realy trust, but it seems to be necessary wpa encryption?)

    thx for help and greetings
    mr. kartoffel
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You mention being behind a router, do you have file/printer sharing enabled on the LAN systems? Do you have rules configured in Kerio for this?

    Allowing NetBios/file printer sharing on the LAN is fine, but is not something you want going out to the Internet or permit inbound from the Internet.

    Regards,

    CrazyM
     
  6. Mr. Kartoffel

    Mr. Kartoffel Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    11
    Location:
    Germany
    thx,
    In addition I have blocked all forwarding traffic (135:139, 445) on my fw box for inet connections, but its just a holey patch for my bleeding system...

    Besides I'am just one state before Hulk, because I have lost the control over one of my systems :'( :mad: o_O

    greetings
    mr. kartoffel
     
Loading...
Thread Status:
Not open for further replies.