Suspicious network traffic

Config · 03-03-2003, 05:26 AM

I have a linux computer setup as a gateway to the internet, it has a 56k modem on one side on the other a normal 100mbit card. Now, one (win98) machines seems to send data to the internet without permission. I have used tcpdump to get further info:

13:30:52 peter.blackjack > 52.159.156.216.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:30:52 peter.blackjack > 52.159.156.217.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:30:52 peter.blackjack > 52.159.156.218.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:30:52 peter.blackjack > 52.159.156.219.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:30:52 peter.blackjack > 52.159.156.220.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:30:52 peter.blackjack > 52.159.156.221.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:30:52 peter.blackjack > 52.159.156.222.netbios-ns: NTP UDP PACKET(137): QUERY; REQUEST; BROADCAST
And so forth. Sometimes, it gets an icmp message back, that a machine was unreachable and other messages. It does this at a rate of about 20packages/second. Also, the win98 box is VERY unstable, explorer crashing all the time etc.
Does anybody know why would my machine contact a huge address range?
Thanks a lot. I know, I could do a format and reinstall, but if I don't have to, I won't, because my parents don't want to

Crashed_Again · 03-03-2003, 09:46 AM

My guess is that your Win98 machine has some sort of virus on it. Do you have an up to date anti-virus on it? This is not normal behavior for windows, then again, define "normal" for a windows machine.

Also if its not a virus you could install ZoneAlarm on the windows machine to stop all this and see if you can get a better understanding of whats going on.

Miky · 03-03-2003, 09:46 AM

I don't know but my idea is that your win98 box is scanning the internet to find a ntp serveur (time server).
I think it should be infected.
Start/Execute/msconfig and uncheck things that might not seem to be normal or edit the regestry and look for programs that startrs at boot up

++

Crashed_Again · 03-03-2003, 10:08 AM

Quote:

I don't know but my idea is that your win98 box is scanning the internet to find a ntp serveur (time server).

I didn't know that ntp was a time server. In that case it could be the synchronize thing in Windows that trys to synchronize its time with a time server. Check it out.

Doh'

williamwbishop · 03-05-2003, 11:48 AM

Network Time Protocol.

Config · 03-08-2003, 05:53 AM

No, it can't be ntp. It is using the blackjack port, the first public port freely usable (1025), and it is scanning all machines, not well known ips of ntp servers. The port getting probed is the netbios port (138 i think), the port for filesharing etc (correct me if i'm wrong).
I do have a antivirus on that machine, but a Virus is my first guess also. The weird random crashes could go in the same category. Unfortunatelly, I cannot get the virus updates anymore. My office doesn't supply them anymore....

nakkaya · 03-08-2003, 01:40 PM

maybe its a spyware or trojan looking for a server or virii all are possible

williamwbishop · 03-08-2003, 02:34 PM

A quote from somewhere, I forget where....

"So how is all this related to port 137? Windows uses it's own system to translate IP addresses into Windows names. These windows names are usually used to identify PCs participating in windows file sharing. However, Windows will attempt to obtain the "windows name" of every other computer it connects to.As a result, Windows has the habit of "probing" port 137.

So what does this mean to all the "port 137" entries I see in my firewall log? A port 137 hit is frequently the first step in a scan for open file shares. In particular if the source port is larger than 1024, you will frequently find Opaserv or similar malware at the source of the scan.

Some of these probes may just be caused by this quirk of Windows. These probes use port 137 as source and targetport. While these probes are not malicious, they are a sign of a sloppy configuration. Windows file sharing packets (port 135-139 and 445) should never leave a reasonable protected perimeter."

Config · 03-09-2003, 07:20 AM

The trick with msconfig helped me.
The traffic seems to be gone and explorer seems to ba stable again. Yet, I don't know which program caused trouble. Three possibilities: scrsvr.exe (existed twice in msconfig), supporter5.exe and mmservice.exe (i think). I'll do some google on these programs, but I think the problem is solved

Thanks guys

markus1982 · 03-09-2003, 07:23 AM

One solution could be getting rid of MS products :-P :-)