Sign in with
Sign up | Sign in
Your question

Windows 2000 server trying to connect port 139 & 445 to an..

Last response: in Windows 2000/NT
Share
Anonymous
August 10, 2005 5:41:38 PM

Archived from groups: microsoft.public.win2000.networking,microsoft.public.win2000.security (More info?)

Hi,

we currently detected one server (W2K, SP3 with MSSQL SP3, IIS installed)
keeps
trying to connect to an Internet Host at port 139, 445. I checked on the
server by netstat -an,
netstat -a...etc that it tries to connect to that Internet host by the FQDN
in port 139, 445.

I ran several tool from sysinternal but could not find any abnormal, I
checked all registry,
program folders, c: drive, winnt, system32,, task manager,,,,there is
nothing revealing the clue.


Any one knowing please shed the light!!!

Thanks,
J.H

More about : windows 2000 server connect port 139 445

Anonymous
August 11, 2005 11:41:45 AM

Archived from groups: microsoft.public.win2000.networking,microsoft.public.win2000.security (More info?)

So you say "tries" and that netstat is not helping you, but you say it is
trying to connect using FQDN.
So apparently the connection is never happening, hence you do not
get info in netstat or with sysinternals TcpView, etc. to let you have
a clue what is driving the behavior.
But, you could define an IP of your choice in HOSTS file for the FQDN
and then intercept the attempt, possibly defining what is needed on your
receiving machine to make the connection happen, at least long enough
to get some info from TcpView.

Too bad your server is W2k (and out of date on service) else my first
suggestion would be to use the free tool named PortRptr from Microsoft

http://www.microsoft.com/downloads/details.aspx?FamilyI...

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"J.H" <jpthsd@hotmail.com> wrote in message
news:%236sH9venFHA.2156@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> we currently detected one server (W2K, SP3 with MSSQL SP3, IIS installed)
> keeps
> trying to connect to an Internet Host at port 139, 445. I checked on the
> server by netstat -an,
> netstat -a...etc that it tries to connect to that Internet host by the
FQDN
> in port 139, 445.
>
> I ran several tool from sysinternal but could not find any abnormal, I
> checked all registry,
> program folders, c: drive, winnt, system32,, task manager,,,,there is
> nothing revealing the clue.
>
>
> Any one knowing please shed the light!!!
>
> Thanks,
> J.H
>
>
Anonymous
August 11, 2005 1:14:38 PM

Archived from groups: microsoft.public.win2000.networking,microsoft.public.win2000.security (More info?)

Hi Roger,

Thanks for your response. We blocked the outgoing to Internet port 445 and
139.
We detected this problem since we've been noticed the traffic from our
firewall network
monitoring tool.

Thanks,
Jake
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eP2COLonFHA.1416@TK2MSFTNGP09.phx.gbl...
> So you say "tries" and that netstat is not helping you, but you say it is
> trying to connect using FQDN.
> So apparently the connection is never happening, hence you do not
> get info in netstat or with sysinternals TcpView, etc. to let you have
> a clue what is driving the behavior.
> But, you could define an IP of your choice in HOSTS file for the FQDN
> and then intercept the attempt, possibly defining what is needed on your
> receiving machine to make the connection happen, at least long enough
> to get some info from TcpView.
>
> Too bad your server is W2k (and out of date on service) else my first
> suggestion would be to use the free tool named PortRptr from Microsoft
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "J.H" <jpthsd@hotmail.com> wrote in message
> news:%236sH9venFHA.2156@TK2MSFTNGP14.phx.gbl...
> > Hi,
> >
> > we currently detected one server (W2K, SP3 with MSSQL SP3, IIS
installed)
> > keeps
> > trying to connect to an Internet Host at port 139, 445. I checked on the
> > server by netstat -an,
> > netstat -a...etc that it tries to connect to that Internet host by the
> FQDN
> > in port 139, 445.
> >
> > I ran several tool from sysinternal but could not find any abnormal, I
> > checked all registry,
> > program folders, c: drive, winnt, system32,, task manager,,,,there is
> > nothing revealing the clue.
> >
> >
> > Any one knowing please shed the light!!!
> >
> > Thanks,
> > J.H
> >
> >
>
>
Related resources
Anonymous
August 11, 2005 2:07:10 PM

Archived from groups: microsoft.public.win2000.networking,microsoft.public.win2000.security (More info?)

Roger,

here is what returned from Netstat -a

SOURCE DEST ACT
TCP XXXX:2802 0.0.0.0:0 LISTENING
TCP XXXX:2802 XXXX:139 ESTABLISHED
TCP XXXX:2805 XXXX:445 SYN_SENT
TCP XXXX:2806 0.0.0.0:0 LISTENING
TCP XXXX:2806 64.224.17.219:139 SYN_SENT
TCP XXXX:2805 64.224.17.219:445 SYN_SENT


It looks like doing every once per 30 seconds for connect to
64.224.17.219.139
per port 139, 445. On the firewall we saw the attempt, but we block outgoing
port 139,445.


J.H

"J.H" <jpthsd@hotmail.com> wrote in message
news:o GZHb$onFHA.1468@TK2MSFTNGP12.phx.gbl...
> Hi Roger,
>
> Thanks for your response. We blocked the outgoing to Internet port 445 and
> 139.
> We detected this problem since we've been noticed the traffic from our
> firewall network
> monitoring tool.
>
> Thanks,
> Jake
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eP2COLonFHA.1416@TK2MSFTNGP09.phx.gbl...
> > So you say "tries" and that netstat is not helping you, but you say it
is
> > trying to connect using FQDN.
> > So apparently the connection is never happening, hence you do not
> > get info in netstat or with sysinternals TcpView, etc. to let you have
> > a clue what is driving the behavior.
> > But, you could define an IP of your choice in HOSTS file for the FQDN
> > and then intercept the attempt, possibly defining what is needed on your
> > receiving machine to make the connection happen, at least long enough
> > to get some info from TcpView.
> >
> > Too bad your server is W2k (and out of date on service) else my first
> > suggestion would be to use the free tool named PortRptr from Microsoft
> >
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyI...
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "J.H" <jpthsd@hotmail.com> wrote in message
> > news:%236sH9venFHA.2156@TK2MSFTNGP14.phx.gbl...
> > > Hi,
> > >
> > > we currently detected one server (W2K, SP3 with MSSQL SP3, IIS
> installed)
> > > keeps
> > > trying to connect to an Internet Host at port 139, 445. I checked on
the
> > > server by netstat -an,
> > > netstat -a...etc that it tries to connect to that Internet host by the
> > FQDN
> > > in port 139, 445.
> > >
> > > I ran several tool from sysinternal but could not find any abnormal, I
> > > checked all registry,
> > > program folders, c: drive, winnt, system32,, task manager,,,,there is
> > > nothing revealing the clue.
> > >
> > >
> > > Any one knowing please shed the light!!!
> > >
> > > Thanks,
> > > J.H
> > >
> > >
> >
> >
>
>
Anonymous
August 12, 2005 1:52:32 AM

Archived from groups: microsoft.public.win2000.networking,microsoft.public.win2000.security (More info?)

Try using TcpView from www.sysinternals.com

--
Roger
"J.H" <jpthsd@hotmail.com> wrote in message
news:eQ8zxcpnFHA.3120@TK2MSFTNGP09.phx.gbl...
> Roger,
>
> here is what returned from Netstat -a
>
> SOURCE DEST ACT
> TCP XXXX:2802 0.0.0.0:0 LISTENING
> TCP XXXX:2802 XXXX:139 ESTABLISHED
> TCP XXXX:2805 XXXX:445 SYN_SENT
> TCP XXXX:2806 0.0.0.0:0 LISTENING
> TCP XXXX:2806 64.224.17.219:139 SYN_SENT
> TCP XXXX:2805 64.224.17.219:445 SYN_SENT
>
>
> It looks like doing every once per 30 seconds for connect to
> 64.224.17.219.139
> per port 139, 445. On the firewall we saw the attempt, but we block
outgoing
> port 139,445.
>
>
> J.H
>
> "J.H" <jpthsd@hotmail.com> wrote in message
> news:o GZHb$onFHA.1468@TK2MSFTNGP12.phx.gbl...
> > Hi Roger,
> >
> > Thanks for your response. We blocked the outgoing to Internet port 445
and
> > 139.
> > We detected this problem since we've been noticed the traffic from our
> > firewall network
> > monitoring tool.
> >
> > Thanks,
> > Jake
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:eP2COLonFHA.1416@TK2MSFTNGP09.phx.gbl...
> > > So you say "tries" and that netstat is not helping you, but you say it
> is
> > > trying to connect using FQDN.
> > > So apparently the connection is never happening, hence you do not
> > > get info in netstat or with sysinternals TcpView, etc. to let you have
> > > a clue what is driving the behavior.
> > > But, you could define an IP of your choice in HOSTS file for the FQDN
> > > and then intercept the attempt, possibly defining what is needed on
your
> > > receiving machine to make the connection happen, at least long enough
> > > to get some info from TcpView.
> > >
> > > Too bad your server is W2k (and out of date on service) else my first
> > > suggestion would be to use the free tool named PortRptr from Microsoft
> > >
> > >
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyI...
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "J.H" <jpthsd@hotmail.com> wrote in message
> > > news:%236sH9venFHA.2156@TK2MSFTNGP14.phx.gbl...
> > > > Hi,
> > > >
> > > > we currently detected one server (W2K, SP3 with MSSQL SP3, IIS
> > installed)
> > > > keeps
> > > > trying to connect to an Internet Host at port 139, 445. I checked on
> the
> > > > server by netstat -an,
> > > > netstat -a...etc that it tries to connect to that Internet host by
the
> > > FQDN
> > > > in port 139, 445.
> > > >
> > > > I ran several tool from sysinternal but could not find any abnormal,
I
> > > > checked all registry,
> > > > program folders, c: drive, winnt, system32,, task manager,,,,there
is
> > > > nothing revealing the clue.
> > > >
> > > >
> > > > Any one knowing please shed the light!!!
> > > >
> > > > Thanks,
> > > > J.H
> > > >
> > > >
> > >
> > >
> >
> >
>
>
!