Large amount of nbdgram traffic

[chris]

I manage a small network running Win NT 4.0 servers that is just beginning
its migration to W2K domain.I've installed a W2k DC on our network that
communicates with other peer DC's in other sites. The problem is that I've
noticed a tremendous increase in traffic on my firewall logs (up to 900Gb a
day for a small 12 user office!), specifically 80% of the traffic is nbdgram
and 138/udp. Also, the majority of my outgoing traffic is coming from my Win
NT PDC. My question is whether this is normal, expected traffic for a W2k
domain or is there some device that is misconfigured somewhere on the
network, or could this also be a possible indication of a trojan or worm?
Thanks in advance.

 

[Steven L Umbach]

Something is up. Run a virus/trojan scan on that computer. There are also sites like
http://scan.sygatetech.com/ that can do online trojan scans as a supplement to a
software based scan. There is no reason that port 138 udp should be going or coming
from the internet. Ideally your firewall should be blocking all outbound traffic with
a block all rule and then allow only permitted outbound access such as tcp ports 80
and 443 and udp port 53 for dns. Netstat -an or better yet fport may help you
determine if there is a rouge application on that computer communicating with other
computers on the internet. See link at Karl's site below also. --- Steve

http://securityadmin.info/faq.asp#virustoc
http://packetstormsecurity.nl/filedesc/fport.zip.html