Re: ISA UDP 137
- From: peterjpape@xxxxxx
- To: isalist@xxxxxxxxxxxxx ("[ISAserver.org Discussion List]")
- Date: Fri, 22 Nov 2002 14:21:03 -0500
Just a thought on this one not knowing the particulars. These packets appear
to be broadcast messages that should be processed on the local network. ISA
should not be attempting to send these out onto the net.
It may be a TCP/IP config or ISA LAT issue.
Is that what I'm reading here? Is the malformed packet error occuring because
the desitnation address is a non-routeable address? Just a thought.
"CISMIC" <cismic@xxxxxxx> wrote:
>http://www.ISAserver.org
>
>
>That actually looks like that mail.hta thing I caught the other day. Since I
>don't run with scripting on my machine I use to read mail. I found an
>interesting Malware "mail.hta" item.
>
>This is only a partial listing
><script language=vbs>
>malware="4d,5a,90,0,3,0,0,0,4,0,0,0,ff,ff,0,0,b8,0,0,0,0,0,0,0,40,0,0,0,0,0,
>0,0,0,0,0,0,0,0,0,0,0
>
>etc. The rest of the script contains the stuff that seems to help the
>creation of the malformed packets. Not sure but they certainly look
>similar. I would add *.hta to the file types section and not allow that
>coming in via mail or the web.
>
>Joseph
>
>-----Original Message-----
>From: Gregor Streng [mailto:gregorstreng@xxxxxxxxxxxx]
>Sent: Friday, November 22, 2002 8:36 PM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: ISA UDP 137
>
>
>http://www.ISAserver.org
>
>
>Hi,
>
>Having checked the log file again.
>I've to admit more or less every machine is doing it anyway.
>Windos XP clients, Win2K clients, Win2k Servers and even the second ISA
>(Windows .Net Server)
>does it.
>The other thing is that some PC's are sending this over UDP 137 and
>other over 138
>
>2002-11-22 00:00:38 10.0.0.x 10.255.255.255 Udp
>138 138 - Malformed - 45 00 00 e5 5f 6e 00 00
>80 11 c5 33 0a 00 00 68 0a ff ff ff 00 8a 00 8a 00 d1 5c 05 11 02 81
>60 0a 00 00 68 00 8a 00 bb 00 00 20 46 44 46 46 46 44 45 42 45 4f 45 4f
>43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a
>45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43
>2002-11-22 00:00:57 10.0.0.x 10.255.255.255 Udp
>138 138 - Malformed - 45 00 00 e5 2b 27 00 00
>80 11 f9 ae 0a 00 00 34 0a ff ff ff 00 8a 00 8a 00 d1 e3 3c 11 02 82
>92 0a 00 00 34 00 8a 00 bb 00 00 20 46 48 45 46 45 43 46 44 45 46 46 43
>46 47 45 46 46 43 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a
>45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43
>2002-11-22 00:01:35 10.0.0.x 10.255.255.255 Udp
>137 137 - Malformed - 45 00 00 4e 88 81 00 00
>80 11 9c e8 0a 00 00 37 0a ff ff ff 00 89 00 89 00 3a ca 4f bd 5a 01
>10 00 01 00 00 00 00 00 00 20 45 45 45 42 46 45 45 42 45 43 45 42 46 44
>45 46 46 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 00 00 20 00 01
>2002-11-22 00:02:06 10.0.0.x 10.255.255.255 Udp
>138 138 - Malformed - 45 00 00 e5 ff f3 00 00
>80 11 24 e3 0a 00 00 33 0a ff ff ff 00 8a 00 8a 00 d1 92 59 11 02 92
>38 0a 00 00 33 00 8a 00 bb 00 00 20 45 4a 46 44 45 42 46 44 45 46 46 43
>46 47 45 46 46 43 44 42 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a
>45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43
>
>I don't want to say there is no way that a virus made it into our
>network.
>But all PC's, besides one server (because of commerce server 2000), are
>running at least norton antivirus
>2001 wit the latest virus databases.
>Moreover, I already did a full scan on the servers but couldn't find any
>trace of a virus.
>
>All severs are fully patched and have the latest security updates
>applied.
>There are only two persons in the company that can access the servers,
>me and another guy.
>The client PC are free to use by each employee but with a strong
>permission policy in place.
>
>I will keep on looking what is causing that.
>If anyone has any kind of hint where to start I would highly appreciate
>this hint.
>
>Thank you all
>Gregor Streng
>
>
>-----Original Message-----
>From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx]
>Sent: 22 November 2002 16:19
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: ISA UDP 137
>
>
>http://www.ISAserver.org
>
>
>Well, not a virus, but I remember something a few weeks ago about pop
>ups appearing on users computers. I think it was some kind of messenger
>that was running on UDP port 137>
>
>John Tolmachoff MCSE, CSSA
>IT Manager, Network Engineer
>RelianceSoft, Inc.
>Fullerton, CA 92835
>www.reliancesoft.com
>
>
>-----Original Message-----
>From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
>Sent: Friday, November 22, 2002 8:13 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: ISA UDP 137
>
>http://www.ISAserver.org
>
>
>John has a point regarding the virus possibility (though I'm not
>personally aware of one using that port). Also, see if any other log
>entries from those machines are turning up any "odd" entries like that.
>Who normally uses / has access to those machines? Do those machines have
>any other network problems? Is there someone using those machines that
>you don't trust (hacker wanabe)? Unfortunately, "malformed" isn't very
>informative.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
>http://isaserver.org/pages/author_index.asp?aut=3
> http://isatools.org
> Read the help / books / articles!
>
>----- Original Message -----
>From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Friday, November 22, 2002 2:09 AM
>Subject: [isalist] Re: ISA UDP 137
>
>
>http://www.ISAserver.org
>
>
>Hi Jim,
>
>Mostly our Win2K server doing that and one Win2K client.
>That are 5 Pc's.
>Do you have any idea what could cause the incorrect packet header?
>
>Appreciate your help.
>Gregor
>
>
>-----Original Message-----
>From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
>Sent: 21 November 2002 22:23
>To: [ISAserver.org Discussion List]
>Subject: [isalist] Re: ISA UDP 137
>
>
>http://www.ISAserver.org
>
>
>UDP 137 to any broadcast address is an old (but still sorta functional)
>name resolution method; the neighborhood equivalent of me screaming
>"what's Gregor's address?" down your street. Since ISA identifies the
>packet as "malformed", it means that the source of the packet is sending
>incorrect in the packet header. How many clients are doing this?
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
>http://isaserver.org/pages/author_index.asp?aut=3
> http://isatools.org
> Read the help / books / articles!
>
>----- Original Message -----
>From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Thursday, November 21, 2002 3:27 AM
>Subject: [isalist] ISA UDP 137
>
>
>http://www.ISAserver.org
>
>
>Hello,
>
>I've got a problem.
>The ISA Controls Service on the ISA stops after a few, aprox. 15, packet
>filtering errors. The errors is:
>
>Packet filter protocol violation. For more information about this event,
>see ISA Server Help.
>EventID: 14046
>
>The logfile shows this line:
>2002-11-21 10:52:01 10.0.0.x 10.255.255.255 Udp
>137 137 - Malformed - 45 00 00 4e 74 73 00 00
>80 11 b0 f9 0a 00 00 34 0a ff ff ff 00 89 00 89 00 3a 0c 3f 81 82 01 10
>00 01 00 00 00 00 00 00 20 45 48 46 43 45 46 45 48 45 50 46 43 43 41 43
>41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 00 20 00 01
>
>Has anyone an idea why clients suddenly start to send netbois (if I'm
>right Udp 137 is one) requests to 10.255.255.255. The problem is not
>only clients are causing this also servers,the DC, the webserver, the
>exchange .. Moreover there is no box that has got this ip assigned.
>
>Any help would be highly appreciated.
>Gregor
>
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/ Windows
>Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
>Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>jim@xxxxxxxxxxxx To unsubscribe send a blank email to
>$subst('Email.Unsub')
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/ Windows
>Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
>Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to
>$subst('Email.Unsub')
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/ Windows
>Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
>Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>jim@xxxxxxxxxxxx To unsubscribe send a blank email to
>$subst('Email.Unsub')
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/ Windows
>Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
>Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>isalist@xxxxxxxxxxxx To unsubscribe send a blank email to
>$subst('Email.Unsub')
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/ Windows
>Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
>Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to
>$subst('Email.Unsub')
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/
>Windows Security Resource Site: http://www.windowsecurity.com/
>Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>cismic@xxxxxxx
>To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Exchange Server Resource Site: http://www.msexchange.org/
>Windows Security Resource Site: http://www.windowsecurity.com/
>Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>peterjpape@xxxxxx
>To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts:
