Re: ISA UDP 137

• From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 22 Nov 2002 11:50:14 -0800

Messengers are not viruses.

Could some kind of messenger be running on your network?

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com


-----Original Message-----
From: Gregor Streng [mailto:gregorstreng@xxxxxxxxxxxx] 
Sent: Friday, November 22, 2002 10:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA UDP 137

http://www.ISAserver.org


Hi,

Having checked the log file again.
I've to admit more or less every machine is doing it anyway.
Windos XP clients, Win2K clients, Win2k Servers and even the second ISA
(Windows .Net Server)
does it.
The other thing is that some PC's are sending this over UDP 137 and
other over 138

2002-11-22      00:00:38        10.0.0.x        10.255.255.255  Udp
138     138     -       Malformed       -       45 00 00 e5 5f 6e 00 00
80 11 c5 33 0a 00 00 68 0a ff ff ff     00 8a 00 8a 00 d1 5c 05 11 02 81
60 0a 00 00 68 00 8a 00 bb 00 00 20 46 44 46 46 46 44 45 42 45 4f 45 4f
43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a
45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43
2002-11-22      00:00:57        10.0.0.x        10.255.255.255  Udp
138     138     -       Malformed       -       45 00 00 e5 2b 27 00 00
80 11 f9 ae 0a 00 00 34 0a ff ff ff     00 8a 00 8a 00 d1 e3 3c 11 02 82
92 0a 00 00 34 00 8a 00 bb 00 00 20 46 48 45 46 45 43 46 44 45 46 46 43
46 47 45 46 46 43 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a
45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43
2002-11-22      00:01:35        10.0.0.x        10.255.255.255  Udp
137     137     -       Malformed       -       45 00 00 4e 88 81 00 00
80 11 9c e8 0a 00 00 37 0a ff ff ff     00 89 00 89 00 3a ca 4f bd 5a 01
10 00 01 00 00 00 00 00 00 20 45 45 45 42 46 45 45 42 45 43 45 42 46 44
45 46 46 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 00 00 20 00 01
2002-11-22      00:02:06        10.0.0.x        10.255.255.255  Udp
138     138     -       Malformed       -       45 00 00 e5 ff f3 00 00
80 11 24 e3 0a 00 00 33 0a ff ff ff     00 8a 00 8a 00 d1 92 59 11 02 92
38 0a 00 00 33 00 8a 00 bb 00 00 20 45 4a 46 44 45 42 46 44 45 46 46 43
46 47 45 46 46 43 44 42 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a
45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43

I don't want to say there is no way that a virus made it into our
network.
But all PC's, besides one server (because of commerce server 2000), are
running at least norton antivirus
2001 wit the latest virus databases.
Moreover, I already did a full scan on the servers but couldn't find any
trace of a virus.

All severs are fully patched and have the latest security updates
applied.
There are only two persons in the company that can access the servers,
me and another guy.
The client PC are free to use by each employee but with a strong
permission policy in place.

I will keep on looking what is causing that.
If anyone has any kind of hint where to start I would highly appreciate
this hint.

Thank you all
Gregor Streng


-----Original Message-----
From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] 
Sent: 22 November 2002 16:19
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA UDP 137


http://www.ISAserver.org


Well, not a virus, but I remember something a few weeks ago about pop
ups appearing on users computers. I think it was some kind of messenger
that was running on UDP port 137>

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Friday, November 22, 2002 8:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA UDP 137

http://www.ISAserver.org


John has a point regarding the virus possibility (though I'm not
personally aware of one using that port). Also, see if any other log
entries from those machines are turning up any "odd" entries like that.
Who normally uses / has access to those machines? Do those machines have
any other network problems? Is there someone using those machines that
you don't trust (hacker wanabe)? Unfortunately, "malformed" isn't very
informative.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

----- Original Message -----
From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, November 22, 2002 2:09 AM
Subject: [isalist] Re: ISA UDP 137


http://www.ISAserver.org


Hi Jim,

Mostly our Win2K server doing that and one Win2K client.
That are 5 Pc's.
Do you have any idea what could cause the incorrect packet header?

Appreciate your help.
Gregor


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 21 November 2002 22:23
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA UDP 137


http://www.ISAserver.org


UDP 137 to any broadcast address is an old (but still sorta functional)
name resolution method; the neighborhood equivalent of me screaming
"what's Gregor's address?" down your street. Since ISA identifies the
packet as "malformed", it means that the source of the packet is sending
incorrect in the packet header. How many clients are doing this?

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

----- Original Message -----
From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, November 21, 2002 3:27 AM
Subject: [isalist] ISA UDP 137


http://www.ISAserver.org


Hello,

I've got a problem.
The ISA Controls Service on the ISA stops after a few, aprox. 15, packet
filtering errors. The errors is:

Packet filter protocol violation. For more information about this event,
see ISA Server Help.
EventID: 14046

The logfile shows this line:
2002-11-21 10:52:01 10.0.0.x 10.255.255.255 Udp
137 137 - Malformed - 45 00 00 4e 74 73 00 00
80 11 b0 f9 0a 00 00 34 0a ff ff ff 00 89 00 89 00 3a 0c 3f 81 82 01 10
00 01 00 00 00 00 00 00 20 45 48 46 43 45 46 45 48 45 50 46 43 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 00 20 00 01

Has anyone an idea why clients suddenly start to send netbois (if I'm
right Udp 137 is one) requests to 10.255.255.255. The problem is not
only clients are causing this also servers,the DC, the webserver, the
exchange .. Moreover there is no box that has got this ip assigned.

Any help would be highly appreciated.
Gregor



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA UDP 137
• » RE: ISA UDP 137
• » RE: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137
• » Re: ISA UDP 137

1. Home
2. isalist
3. Archive
4. 11-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---