nbtstat displays different computer name

Discussion in 'Computer Security' started by valvowski, Jul 15, 2005.

  1. valvowski

    valvowski Guest

    does anybody know what tool was used that generates different computer
    name everytime i execute nbtstat on a single ip address? it is really
    hard to trace which pc the ip address belongs. any help would be
    appreciated.
     
    valvowski, Jul 15, 2005
    #1
    1. Advertising

  2. From: "valvowski" <>

    | does anybody know what tool was used that generates different computer
    | name everytime i execute nbtstat on a single ip address? it is really
    | hard to trace which pc the ip address belongs. any help would be
    | appreciated.

    When you execute protocol, network, and IP address related TCP/IP programs, the OS will do a
    lookup in the static TCP/IP tables. This will be the '/etc' folder.

    On Win9x/ME
    %windir%

    On NT4, Win2K, WinXP and Win2003 Server
    %windir%\system32\drivers\etc

    There are the static TCP/IP tables called...

    hosts
    networks
    protocol
    services
    lmhosts

    Before the TCP/IP complaint program duisplays it relevent data, it will for a lookup in thes
    table and provide and alias (ASCII name) to the referenced numbered data.

    For example using the folowing extracted etc/services table...

    netrjs-4 74/tcp Remote Job Service
    private_dial 75/tcp
    deos 76/tcp Distributed External Object Store
    private_rje 77/tcp netrjs
    vettcp 78/tcp vettcp
    finger 79/tcp
    www-http 80/tcp World Wide Web HTTP
    hosts2-ns 81/tcp HOSTS2 Name Server
    xfer 82/tcp XFER Utility
    mit-ml-dev 83/tcp MIT ML Device
    ctf 84/tcp Common Trace Facility
    mit-ml-dev 85/tcp MIT ML Device

    If I was communicating on TCP port 80 then the ASCII text alias 'www-http' will be
    displayed.

    If the data is an IP address, then the etc/hosts table will be queried and if there is a
    line item for the given IP address then that alias will be used. If the etc/hosts table
    does NOT have the relevant data the the TCP/IP stack will check the Domain Name Server (DNS)
    Servers (or DNS cache depending on the OS) and will use the alias supplied by the DNS server
    or cache.

    NBTSTAT is a MS specific NetBIOS Status utility. It will query the etc/lmhosts table and if
    there is a line item for the given IP address then that alias will be used. If the
    etc/lmhosts table does NOT have the relevant data the the TCP/IP stack will check the Master
    Browser, WINS server, or other NetBIOS name cacheing stores. The order in which this action
    is performed is set in the OS Registry.



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jul 15, 2005
    #2
    1. Advertising

  3. valvowski

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, valvowski wrote:

    >does anybody know what tool was used that generates different computer
    >name everytime i execute nbtstat on a single ip address? it is really
    >hard to trace which pc the ip address belongs.


    Is the "other" computer local? Use a packet sniffer, and get the
    MAC address. If the other computer is not local, and is not using
    a reserved IP address (see RFC3330), google for a 'whois' tool.

    >NNTP-Posting-Host: 210.1.130.2


    [compton ~]$ whois -h whois.apnic.net 210.1.130.2
    inetnum: 210.1.130.0 - 210.1.130.255
    netname: PIPH-LL
    country: PH
    descr: Pacific Internet PH
    descr: LL IP Pool
    address: Pacific Internet Philippines, Inc.
    address: 19F, The Taipan Place,
    address: Emerald Ave., Ortigas Center,
    address: Pasig City, Philippines
    phone: +63-2-6371700
    fax-no: +63-2-9180159
    [compton ~]$

    Old guy
     
    Moe Trin, Jul 16, 2005
    #3
  4. valvowski

    valvowski Guest

    I posted two pics. these were for a single ip, taken within a second or
    two. it changes everytime i execute nbtstat.

    http://tinypic.com/987bd0.jpg
    http://tinypic.com/987br6.jpg

    Moe Trin wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <>, valvowski wrote:
    >
    > >does anybody know what tool was used that generates different computer
    > >name everytime i execute nbtstat on a single ip address? it is really
    > >hard to trace which pc the ip address belongs.

    >
    > Is the "other" computer local? Use a packet sniffer, and get the
    > MAC address. If the other computer is not local, and is not using
    > a reserved IP address (see RFC3330), google for a 'whois' tool.
    >
    > >NNTP-Posting-Host: 210.1.130.2

    >
    > [compton ~]$ whois -h whois.apnic.net 210.1.130.2
    > inetnum: 210.1.130.0 - 210.1.130.255
    > netname: PIPH-LL
    > country: PH
    > descr: Pacific Internet PH
    > descr: LL IP Pool
    > address: Pacific Internet Philippines, Inc.
    > address: 19F, The Taipan Place,
    > address: Emerald Ave., Ortigas Center,
    > address: Pasig City, Philippines
    > phone: +63-2-6371700
    > fax-no: +63-2-9180159
    > [compton ~]$
    >
    > Old guy
     
    valvowski, Jul 22, 2005
    #4
  5. David H. Lipman, Jul 22, 2005
    #5
  6. valvowski

    valvowski Guest

    It does seems standard, but what is unusual is that the entries changes
    everytime for a single ip address. the changes occurs every fraction of
    a second i run nbtstat. I don't think this is normal.

    David H. Lipman wrote:
    > From: "valvowski" <>
    >
    > | I posted two pics. these were for a single ip, taken within a second or
    > | two. it changes everytime i execute nbtstat.
    > |
    > | http://tinypic.com/987bd0.jpg
    > | http://tinypic.com/987br6.jpg
    > |
    >
    > Looks like standard NetBIOS communications to me.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
     
    valvowski, Jul 26, 2005
    #6
  7. From: "valvowski" <>

    | It does seems standard, but what is unusual is that the entries changes
    | everytime for a single ip address. the changes occurs every fraction of
    | a second i run nbtstat. I don't think this is normal.
    |

    Maybe it is the Gael Internet worm. You can scan the system using the following Multi AV
    scanning tool.


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
    (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
    remove
    viruses and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode. This
    way all the components can be downloaded from each AV vendor’s web site.
    The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
    through your FireWall to allow them to download the needed AV vendor related files.

    * * * Please report back your results * * *



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jul 26, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    6
    Views:
    827
  2. fudge

    Independent Displays For A Dell Computer

    fudge, Jul 29, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    404
  3. Tony Calguire
    Replies:
    9
    Views:
    909
    Tony Calguire
    Aug 17, 2007
  4. Rom
    Replies:
    0
    Views:
    921
  5. Richard Fangnail

    Two different YouTube displays?

    Richard Fangnail, Feb 8, 2008, in forum: Computer Support
    Replies:
    2
    Views:
    533
    Richard Fangnail
    Feb 10, 2008
Loading...

Share This Page