Windows 2000 server trying to connect port 139 & 445 to an Internet host

  • Thread starter Thread starter J.H
  • Start date Start date
J

J.H

Hi,

we currently detected one server (W2K, SP3 with MSSQL SP3, IIS installed)
keeps
trying to connect to an Internet Host at port 139, 445. I checked on the
server by netstat -an,
netstat -a...etc that it tries to connect to that Internet host by the FQDN
in port 139, 445.

I ran several tool from sysinternal but could not find any abnormal, I
checked all registry,
program folders, c: drive, winnt, system32,, task manager,,,,there is
nothing revealing the clue.


Any one knowing please shed the light!!!

Thanks,
J.H
 
So you say "tries" and that netstat is not helping you, but you say it is
trying to connect using FQDN.
So apparently the connection is never happening, hence you do not
get info in netstat or with sysinternals TcpView, etc. to let you have
a clue what is driving the behavior.
But, you could define an IP of your choice in HOSTS file for the FQDN
and then intercept the attempt, possibly defining what is needed on your
receiving machine to make the connection happen, at least long enough
to get some info from TcpView.

Too bad your server is W2k (and out of date on service) else my first
suggestion would be to use the free tool named PortRptr from Microsoft

http://www.microsoft.com/downloads/...9b-bae9-4243-b9d6-63e62b4bcd2e&DisplayLang=en
 
Hi Roger,

Thanks for your response. We blocked the outgoing to Internet port 445 and
139.
We detected this problem since we've been noticed the traffic from our
firewall network
monitoring tool.

Thanks,
Jake
 
Roger,

here is what returned from Netstat -a

SOURCE DEST ACT
TCP XXXX:2802 0.0.0.0:0 LISTENING
TCP XXXX:2802 XXXX:139 ESTABLISHED
TCP XXXX:2805 XXXX:445 SYN_SENT
TCP XXXX:2806 0.0.0.0:0 LISTENING
TCP XXXX:2806 64.224.17.219:139 SYN_SENT
TCP XXXX:2805 64.224.17.219:445 SYN_SENT


It looks like doing every once per 30 seconds for connect to
64.224.17.219.139
per port 139, 445. On the firewall we saw the attempt, but we block outgoing
port 139,445.


J.H
 
Back
Top