|
Posted by jayjwa on August 4, 2004, 6:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I am not sure whether my machine got hacked. It keeps trying to make
> TCP connection to port 139 on the other machine[s]. However, I found
> no process based on its initiating port. It seems to me it was
> spawned by other running process, but I am running out of idea to
> track that down.
Try a web-search about SMB and Windows "File Sharing"/Network
Neighborhood, and netbios. It's a big topic.
> One thing I don't really understand is that how does my machine know
> these IP addresses for connection; therefore, I suspect it has been
> hacked
>
Broadcasts. They look for who is the domain master, have "elections",
create Browse-lists. My ISP's network is buzzing with activity from
Windows machines. I too wondered why all these machines seemed to probe
mine on certain ports, namely 137-138/udp, and 139,445/tcp. If you
have a sniffer, watch the traffic sometime and see what they send.
Have a look at http://www.samba.org/ They're better at explaining
stuff and you can see source code, unlike whatever MS has on it (if
you can find what you're looking for on their site...)
> Not sure whether it is related. There are a lot of machines trying to
> make connections to my machine at port 135 and 445. Most initiating
> IP are near. If this is normal, how do they know my IP? I just hope
> my machine didn't boardcast its address for invitations! :(
They're probably all on your ISP's subnet, right? Visible, browsable
machines should make up the Windows Network Neighborhood (don't quote
me on this, I never checked it from a Windows machine myself). On
Linux, I can see a shares listing with something like this-
smbclient -U guest -N -L <the netbios machine's name>
> I am using Windows 2000 Server with limited ports open to the net. I
> captured these IP log from my hardware router.
Be careful what you're serving up ;) I few people have their C:\
shared with the rest of the subnet here. I'm not sure how secure MS
Windows 2000 server is, but there's been issues in the past regarding
this area; like anything else, keep patched, keep current, and do your
homework.
--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
| 
XML site map