Wireshark-users: [Wireshark-users] Unexplained Netbios Traffic

From: "Jon Ziminsky" <ziminskyj@xxxxxxxxx>
Date: Wed, 1 Oct 2008 12:03:04 -0600

Hello!

 

I have a server that is spewing UDP packets on port 137. Here is a sample of the capture:

 

214         4.762671              <hidden>            65.200.10.34       NBNS    Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

217         1.771319              <hidden>            24.64.209.155     NBNS    Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

 

The packets are being sent to random public IPs. They are sent in groups of 3. The packets are identical except the destination IP.

 

The box is running Server2000, and is a VM running on an Ubuntu host. Both the host and guest are fully patched. It is running eTrust ITM that is fully patched an up to date on sigs. All AV scans I have ran come back clean. I also ran the most recent MS Malicious Software removal tool, and it came back clean as well.

 

This is the only server in our domain that is exhibiting this behavior.

 

So far today it has tried to contact over 100 random hosts. I am concerned... Help please.

 

 

 

Jon