[olug] Varying port access from an internal XP box
Steven Susbauer
stupendoussteve at hotmail.com
Fri Dec 26 10:36:10 UTC 2008
Eric P wrote:
> Eric P wrote:
>> Eric P wrote:
>>> Hi,
>>>
>>> I flipped on Firestarter (Linux GUI firewall) and noticed the XP box on my network is trying to access some service on
>>> my Linux box (the one w/Firestarter) about four times every minute. With Firestarter it's being blocked now, but the
>>> troubling thing is the port changes w/each request, and they're high non-standard ports in the 33,000-61,000 range.
>>>
>>> Any ideas or should I begin suspecting a virus on the XP box?
>>>
>>> Thanks,
>>> Eric P.
>>>
>> I should add that the only service I knowingly use between the machines is Samba for accessing the XP files from the
>> Linux box.
>>
>> Thanks,
>> Eric P.
>>
>
> Ok, my last email lead me to a possible answer.
>
> It seemed that FuseSmb was trying to verify a connection it had with a pre-established mount point on the XP box. Since
> it could no longer access the XP file share (due to turning on Firestarter which was now blocking it), FuseSmb tried to
> periodically access the XP file share but Firestarter wouldn't allow a response back. So my guess is FuseSmb kept
> telling the response to try different ports on each intermittent check since it never heard anything back.
>
> At least that's my best guess.
>
> Eric P.
If you're concerned about it, I suggest looking at the traffic with
wireshark, which will probably be able to tell you pretty quickly what
kind of traffic it is.
More information about the OLUG
mailing list