Messengers are not viruses. Could some kind of messenger be running on your network? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -----Original Message----- From: Gregor Streng [mailto:gregorstreng@xxxxxxxxxxxx] Sent: Friday, November 22, 2002 10:36 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org Hi, Having checked the log file again. I've to admit more or less every machine is doing it anyway. Windos XP clients, Win2K clients, Win2k Servers and even the second ISA (Windows .Net Server) does it. The other thing is that some PC's are sending this over UDP 137 and other over 138 2002-11-22 00:00:38 10.0.0.x 10.255.255.255 Udp 138 138 - Malformed - 45 00 00 e5 5f 6e 00 00 80 11 c5 33 0a 00 00 68 0a ff ff ff 00 8a 00 8a 00 d1 5c 05 11 02 81 60 0a 00 00 68 00 8a 00 bb 00 00 20 46 44 46 46 46 44 45 42 45 4f 45 4f 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a 45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43 2002-11-22 00:00:57 10.0.0.x 10.255.255.255 Udp 138 138 - Malformed - 45 00 00 e5 2b 27 00 00 80 11 f9 ae 0a 00 00 34 0a ff ff ff 00 8a 00 8a 00 d1 e3 3c 11 02 82 92 0a 00 00 34 00 8a 00 bb 00 00 20 46 48 45 46 45 43 46 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a 45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43 2002-11-22 00:01:35 10.0.0.x 10.255.255.255 Udp 137 137 - Malformed - 45 00 00 4e 88 81 00 00 80 11 9c e8 0a 00 00 37 0a ff ff ff 00 89 00 89 00 3a ca 4f bd 5a 01 10 00 01 00 00 00 00 00 00 20 45 45 45 42 46 45 45 42 45 43 45 42 46 44 45 46 46 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 00 00 20 00 01 2002-11-22 00:02:06 10.0.0.x 10.255.255.255 Udp 138 138 - Malformed - 45 00 00 e5 ff f3 00 00 80 11 24 e3 0a 00 00 33 0a ff ff ff 00 8a 00 8a 00 d1 92 59 11 02 92 38 0a 00 00 33 00 8a 00 bb 00 00 20 45 4a 46 44 45 42 46 44 45 46 46 43 46 47 45 46 46 43 44 42 43 41 43 41 43 41 43 41 43 41 43 41 00 20 45 4a 45 4f 46 45 45 46 46 43 45 4f 45 42 45 4d 43 41 43 41 43 41 43 I don't want to say there is no way that a virus made it into our network. But all PC's, besides one server (because of commerce server 2000), are running at least norton antivirus 2001 wit the latest virus databases. Moreover, I already did a full scan on the servers but couldn't find any trace of a virus. All severs are fully patched and have the latest security updates applied. There are only two persons in the company that can access the servers, me and another guy. The client PC are free to use by each employee but with a strong permission policy in place. I will keep on looking what is causing that. If anyone has any kind of hint where to start I would highly appreciate this hint. Thank you all Gregor Streng -----Original Message----- From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] Sent: 22 November 2002 16:19 To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org Well, not a virus, but I remember something a few weeks ago about pop ups appearing on users computers. I think it was some kind of messenger that was running on UDP port 137> John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, November 22, 2002 8:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org John has a point regarding the virus possibility (though I'm not personally aware of one using that port). Also, see if any other log entries from those machines are turning up any "odd" entries like that. Who normally uses / has access to those machines? Do those machines have any other network problems? Is there someone using those machines that you don't trust (hacker wanabe)? Unfortunately, "malformed" isn't very informative. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, November 22, 2002 2:09 AM Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org Hi Jim, Mostly our Win2K server doing that and one Win2K client. That are 5 Pc's. Do you have any idea what could cause the incorrect packet header? Appreciate your help. Gregor -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 21 November 2002 22:23 To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org UDP 137 to any broadcast address is an old (but still sorta functional) name resolution method; the neighborhood equivalent of me screaming "what's Gregor's address?" down your street. Since ISA identifies the packet as "malformed", it means that the source of the packet is sending incorrect in the packet header. How many clients are doing this? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, November 21, 2002 3:27 AM Subject: [isalist] ISA UDP 137 http://www.ISAserver.org Hello, I've got a problem. The ISA Controls Service on the ISA stops after a few, aprox. 15, packet filtering errors. The errors is: Packet filter protocol violation. For more information about this event, see ISA Server Help. EventID: 14046 The logfile shows this line: 2002-11-21 10:52:01 10.0.0.x 10.255.255.255 Udp 137 137 - Malformed - 45 00 00 4e 74 73 00 00 80 11 b0 f9 0a 00 00 34 0a ff ff ff 00 89 00 89 00 3a 0c 3f 81 82 01 10 00 01 00 00 00 00 00 00 20 45 48 46 43 45 46 45 48 45 50 46 43 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 00 20 00 01 Has anyone an idea why clients suddenly start to send netbois (if I'm right Udp 137 is one) requests to 10.255.255.255. The problem is not only clients are causing this also servers,the DC, the webserver, the exchange .. Moreover there is no box that has got this ip assigned. Any help would be highly appreciated. Gregor ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')