[olug] Varying port access from an internal XP box
Eric P
eric.maillist at gmail.com
Mon Dec 29 16:40:57 UTC 2008
On Fri, Dec 26, 2008 at 4:36 AM, Steven Susbauer
<stupendoussteve at hotmail.com> wrote:
> Eric P wrote:
>> Eric P wrote:
>>> Eric P wrote:
>>>> Hi,
>>>>
>>>> I flipped on Firestarter (Linux GUI firewall) and noticed the XP box on my network is trying to access some service on
>>>> my Linux box (the one w/Firestarter) about four times every minute. With Firestarter it's being blocked now, but the
>>>> troubling thing is the port changes w/each request, and they're high non-standard ports in the 33,000-61,000 range.
>>>>
>>>> Any ideas or should I begin suspecting a virus on the XP box?
>>>>
>>>> Thanks,
>>>> Eric P.
>>>>
>>> I should add that the only service I knowingly use between the machines is Samba for accessing the XP files from the
>>> Linux box.
>>>
>>> Thanks,
>>> Eric P.
>>>
>>
>> Ok, my last email lead me to a possible answer.
>>
>> It seemed that FuseSmb was trying to verify a connection it had with a pre-established mount point on the XP box. Since
>> it could no longer access the XP file share (due to turning on Firestarter which was now blocking it), FuseSmb tried to
>> periodically access the XP file share but Firestarter wouldn't allow a response back. So my guess is FuseSmb kept
>> telling the response to try different ports on each intermittent check since it never heard anything back.
>>
>> At least that's my best guess.
>>
>> Eric P.
> If you're concerned about it, I suggest looking at the traffic with
> wireshark, which will probably be able to tell you pretty quickly what
> kind of traffic it is.
>
>
Excellent idea.
All packets turned out to be NBNS protocol (NetBIOS), so that gave the
warm/fuzzy that I needed.
Thanks (wireshark is such an amazing tool),
Eric
More information about the OLUG
mailing list