Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 May 1999 00:27:11 +0930 (CST)
From:      Kris Kennaway <kkennawa@physics.adelaide.edu.au>
To:        Kiril Mitev <kiril@ideaglobal.com>
Cc:        Dag-Erling Smorgrav <des@flood.ping.uio.no>, greg@qmpgmc.ac.uk, freebsd-security@freebsd.org
Subject:   Re: Server trying to connect to Port 113
Message-ID:  <Pine.OSF.4.10.9905250018340.14494-100000@bragg>
In-Reply-To: <199905241422.PAA02615@idea.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 24 May 1999, Kiril Mitev wrote:

> > "Greg Quinlan" <greg@qmpgmc.ac.uk> writes:
> > > So will it effect anything by opening port 113? ...(getting 2000 or so log
> > > entries from the same server)
> > 
> > Don't log, or at least, don't log connections to ports to which you
> > excpect benign (if misguided) traffic, such as auth and the netbios
> > ports.
> 
> i beg to disagree, any access attempt from 'outside' to any netbios
> ports are 99% indicative of a break-in attempt.

Windows machines like to attempt NetBIOS connections to remote machines in the
Internet under certain circumstances when you attempt a TCP/IP connection. I
think it's the fault of Internet Exploder mostly - usually it's port 137, but
port 138 and 139 are seen occasionally (they're other NetBIOS control ports).
I think it's trying to do a WINS lookup in parallel with your TCP connection
or something.

I see lots out outgoing NetBIOS packets on my network, not just incoming ones.
To be sure, there are a lot of forged or malign packets floating around as
well, but they're not all bad.

I don't know what the heck is wrong with the Windows TCP stack, BTW[1]. I see
all kinds of bizarre traffic outgoing from the machines on the LAN at work
(which isn't even that big). By far the strangest would have to be a Lose'95
machine which likes to address its packets in reverse byte order: 4.3.2.1 for
1.2.3.4.

Go figure :-)

Kris

[1] Rhetorical question.

-----
"Never criticize anybody until you have walked a mile in their shoes,
because by that time you will be a mile away and have their shoes."
    -- Unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905250018340.14494-100000>