Netstat---Netbios

Printable View

August 5th, 2004, 09:35 PM
mrg81

Netstat---Netbios

Hi,

I work for a company and today on of the machines after typing netstat -an I see that some one is connected to my machine on port 1033 the remote machine was in the same network (the machine that connected to mine) and had port 139 in use. There was no one using that machine, so i typed in the same netstat command on the remote machine, but there was no connection onto mine.

Also when i did a nslookup on the ipaddress the machine had an alias as 21.x.x.x (i don't remember the entire ip), i did terminate the connection using tcp tools fro sysinternals, but i am not able to understand why this happened, Also the OS in win2kpro and there was nothing in the logs of event viewer. No unknown processes found.

plaese help!!!

MRG.
August 5th, 2004, 09:41 PM
Tiger Shark

Win2k boxes on a network "chatter" to each other a lot. It probably is nothing to worry about unless the IP that you are talking about doesn;t belong to your network. If that's the case I would ask:-

1. Do you have a firewall?
2. Do you have egress rules?
3. Are port 135, 137, 139 & 445 blocked from both ingress and egress?
August 5th, 2004, 09:46 PM
nebulus200

Re: Netstat---Netbios

Quote:

Originally posted here by mrg81
Hi,

I work for a company and today on of the machines after typing netstat -an I see that some one is connected to my machine on port 1033 the remote machine was in the same network (the machine that connected to mine) and had port 139 in use. There was no one using that machine, so i typed in the same netstat command on the remote machine, but there was no connection onto mine.

Also when i did a nslookup on the ipaddress the machine had an alias as 21.x.x.x (i don't remember the entire ip), i did terminate the connection using tcp tools fro sysinternals, but i am not able to understand why this happened, Also the OS in win2kpro and there was nothing in the logs of event viewer. No unknown processes found.

plaese help!!!

MRG.

I think you may be a little confused about the direction. Netbios (tcp/139) was probably the destination port (especially since the other port was > 1024). What this indicates to me is that your machine attempted to do something like map a drive to the remote computer (What was the connection state? ESTABLISHED?). Did you check to make sure you were not mapping any drives? Someone could have mapped the drive and then logged out and the tcp connection may have persisted in a time-wait, or possibly the connection could have failed and therefore still be working on timing out...
August 5th, 2004, 09:51 PM
mrg81

For tiger,

I don't have any firewalls, the only reason i am worried is because of the alias ip address that shoed up when i try to do nslookup

for nebulus 200 , i didn't map any drives Also the connection was in the established state before i terminated the connection, one more thing there were no sessions when i went to sessions in manage in my computer.

Also the direction was from my machine with ipaddress:1033 ----- > ipaddress:139

MRG.
August 5th, 2004, 09:53 PM
nebulus200

Quote:

Originally posted here by mrg81
For tiger,

I don't have any firewalls, the only reason i am worried is because of the alias ip address that shoed up when i try to do nslookup

for nebulus 200 , i didn't map any drives Also the connection was in the established state before i terminated the connection, one more thing there were no sessions when i went to sessions in manage in my computer.

Also the direction was from my machine with ipaddress:1033 ----- > ipaddress:139

MRG.

Ugh, I am tired, now you have confused me, could you please change on of them to read 'my ip' and 'remote ip', vielen dank!~
August 5th, 2004, 09:56 PM
Tiger Shark

Ok.... Lets start by getting a firewall or firewalls for the individual computers if you can't afford a linksys or whatever. Having done that you won't have these worries in the future.
August 5th, 2004, 09:56 PM
mrg81

oops! sorry the first on is myip and the second one is remote ip

myip:1033----->remoteip:139
August 5th, 2004, 09:58 PM
Tiger Shark

Then your box connected to the remote.... Get a firewall please.....
August 5th, 2004, 10:02 PM
nebulus200

I agree with Tiger, a firewall is essential in this age of the Worm. Are you the only one that uses this computer? Is it part of a workgroup or a domain? Is your AV up to date? Done a complete scan for Adware and Viruses? Something caused your computer to make that connection, and until you can figure out what did, I wouldn't trust the security of it (as a matter of fact, I would trust the security of any of the systems if you don't have a firewall).