Actually, that was "valid" traffic that was merely taking advantage of the fact that most Windows users don't know about locking down or firewalling their Internet-enabled system. It was "advertising" using the Messenger/Alerter service combination (net send functionality). Those use UDP-135/139. BTW, thank your ISP for not UDP-137 is specifically name resolution (broadcast or WINS). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "John Tolmachoff" <isalist@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, November 22, 2002 8:18 AM Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org Well, not a virus, but I remember something a few weeks ago about pop ups appearing on users computers. I think it was some kind of messenger that was running on UDP port 137> John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, November 22, 2002 8:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org John has a point regarding the virus possibility (though I'm not personally aware of one using that port). Also, see if any other log entries from those machines are turning up any "odd" entries like that. Who normally uses / has access to those machines? Do those machines have any other network problems? Is there someone using those machines that you don't trust (hacker wanabe)? Unfortunately, "malformed" isn't very informative. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, November 22, 2002 2:09 AM Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org Hi Jim, Mostly our Win2K server doing that and one Win2K client. That are 5 Pc's. Do you have any idea what could cause the incorrect packet header? Appreciate your help. Gregor -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 21 November 2002 22:23 To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA UDP 137 http://www.ISAserver.org UDP 137 to any broadcast address is an old (but still sorta functional) name resolution method; the neighborhood equivalent of me screaming "what's Gregor's address?" down your street. Since ISA identifies the packet as "malformed", it means that the source of the packet is sending incorrect in the packet header. How many clients are doing this? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, November 21, 2002 3:27 AM Subject: [isalist] ISA UDP 137 http://www.ISAserver.org Hello, I've got a problem. The ISA Controls Service on the ISA stops after a few, aprox. 15, packet filtering errors. The errors is: Packet filter protocol violation. For more information about this event, see ISA Server Help. EventID: 14046 The logfile shows this line: 2002-11-21 10:52:01 10.0.0.x 10.255.255.255 Udp 137 137 - Malformed - 45 00 00 4e 74 73 00 00 80 11 b0 f9 0a 00 00 34 0a ff ff ff 00 89 00 89 00 3a 0c 3f 81 82 01 10 00 01 00 00 00 00 00 00 20 45 48 46 43 45 46 45 48 45 50 46 43 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 00 20 00 01 Has anyone an idea why clients suddenly start to send netbois (if I'm right Udp 137 is one) requests to 10.255.255.255. The problem is not only clients are causing this also servers,the DC, the webserver, the exchange .. Moreover there is no box that has got this ip assigned. Any help would be highly appreciated. Gregor ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')