[Dshield] Active Ports Freeware & Outbound 137 Scans

tim.southard@starband.net tim.southard at starband.net
Fri Sep 12 21:44:32 GMT 2003


Hello Yevette,

Check to see if dllhost.exe is running.  That is described as Welchia (which
I thought only blasted pings) but on one of our systems was blasting 137.

If dllhost.exe is running, run Symantec's WelchiaFix tool.

Tim

----- Original Message ----- 
From: "Yevette Maurer" <yevettem at gsmt.com>
To: <list at dshield.org>
Sent: Friday, September 12, 2003 12:53
Subject: [Dshield] Active Ports Freeware & Outbound 137 Scans


> Just thought I would share this with everyone on this list, maybe it will
> come in handy for some of you. We found this neat little tool called
Active
> Ports. Here is the description off their website:
>
> Active Ports - easy to use tool for Windows NT/2000/XP that enables you to
> monitor all open TCP and UDP ports on the local computer. Active Ports
maps
> ports to the owning application so you can watch which process has opened
> which port. It also displays a local and remote IP address for each
> connection and allows you to terminate the owning process. Active Ports
can
> help you to detect Trojans and other malicious programs.
> http://www.protect-me.com/freeware.html
>
> We just found out that one of our Real Estate Agents that are connected to
> our network (at our other office building - they pay us for Internet
access
> and are using their own systems not maintained by us) is sending out UDP
137
> scans in massive amounts. He's inside our firewall (ISA Server), don't
know
> how a worm could have got in. He's using and up-to-date version of Norton
AV
> and BlackIce. Thought it was W32/Opaserv.worm, but can't find any traces
of
> it. We disconnected him from the network last night, and one of the other
> guys in our Tech Dept. went out there to look at it again this morning.
> Don't know what it could be, hope that the Active Ports tool can help us.
> He's also going to try to see if McAfee can find something that Norton
> didn't. If anyone has any other suggestions, it would be greatly
> appreciated.
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list