Re: ISA UDP 137
- From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 22 Nov 2002 08:18:36 -0800
Well, not a virus, but I remember something a few weeks ago about pop ups
appearing on users computers. I think it was some kind of messenger that was
running on UDP port 137>
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Friday, November 22, 2002 8:13 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA UDP 137
http://www.ISAserver.org
John has a point regarding the virus possibility (though I'm not personally
aware of one using that port).
Also, see if any other log entries from those machines are turning up any
"odd" entries like that.
Who normally uses / has access to those machines?
Do those machines have any other network problems?
Is there someone using those machines that you don't trust (hacker wanabe)?
Unfortunately, "malformed" isn't very informative.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, November 22, 2002 2:09 AM
Subject: [isalist] Re: ISA UDP 137
http://www.ISAserver.org
Hi Jim,
Mostly our Win2K server doing that and one Win2K client.
That are 5 Pc's.
Do you have any idea what could cause the incorrect packet header?
Appreciate your help.
Gregor
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 21 November 2002 22:23
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA UDP 137
http://www.ISAserver.org
UDP 137 to any broadcast address is an old (but still sorta functional)
name resolution method; the neighborhood equivalent of me screaming
"what's Gregor's address?" down your street. Since ISA identifies the
packet as "malformed", it means that the source of the packet is sending
incorrect in the packet header. How many clients are doing this?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: "Gregor Streng" <gregorstreng@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, November 21, 2002 3:27 AM
Subject: [isalist] ISA UDP 137
http://www.ISAserver.org
Hello,
I've got a problem.
The ISA Controls Service on the ISA stops after a few, aprox. 15, packet
filtering errors. The errors is:
Packet filter protocol violation. For more information about this event,
see ISA Server Help.
EventID: 14046
The logfile shows this line:
2002-11-21 10:52:01 10.0.0.x 10.255.255.255 Udp
137 137 - Malformed - 45 00 00 4e 74 73 00 00
80 11 b0 f9 0a 00 00 34 0a ff ff ff 00 89 00 89 00 3a 0c 3f 81 82 01 10
00 01 00 00 00 00 00 00 20 45 48 46 43 45 46 45 48 45 50 46 43 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00 00 20 00 01
Has anyone an idea why clients suddenly start to send netbois (if I'm
right Udp 137 is one) requests to 10.255.255.255. The problem is not
only clients are causing this also servers,the DC, the webserver, the
exchange .. Moreover there is no box that has got this ip assigned.
Any help would be highly appreciated.
Gregor
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregorstreng@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
