Hello!
I have a server that is spewing UDP packets on port 137.
Here is a sample of the capture:
214
4.762671
<hidden>
65.200.10.34 NBNS Name
query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
217
1.771319
<hidden>
24.64.209.155 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
The packets are being sent to random public IPs. They are
sent in groups of 3. The packets are identical except the destination IP.
The box is running Server2000, and is a VM running on an
Ubuntu host. Both the host and guest are fully patched. It is running eTrust ITM
that is fully patched an up to date on sigs. All AV scans I have ran come back
clean. I also ran the most recent MS Malicious Software removal tool, and it
came back clean as well.
This is the only server in our domain that is exhibiting
this behavior.
So far today it has tried to contact over 100 random hosts.
I am concerned... Help please.
Jon