Strange Network Activity

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: Charles_Bethune PostPosted: Mon Sep 24, 2012 10:24 pm    Post subject: Strange Network Activity
    ----
I have a Microsoft Windows 7 box on a network

Local IP (192.168.1.2)
Gateway (192.168.1.1)

And I have noticed strange port 137 requests and other strange activity from a particular IP which is not in the trusted scope.


Windows firewall revealed

2012-09-24 21:30:30 DROP UDP 192.168.1.3 224.0.0.252 50937 5355 50 - - - - - - - RECEIVE
2012-09-24 21:30:30 DROP UDP 192.168.1.3 192.168.1.255 137 137 78 - - - - - - - RECEIVE
2012-09-24 21:30:31 DROP UDP 192.168.1.3 192.168.1.255 137 137 78 - - - - - - - RECEIVE
2012-09-24 21:30:31 DROP UDP 192.168.1.3 192.168.1.255 137 137 78 - - - - - - - RECEIVE

_____________________________________________________________

TCPDump logs

834 23.183712000 192.168.1.3 255.255.255.255 DHCP 342 DHCP Inform - Transaction ID 0x9a44e4ed
959 23.761281000 192.168.1.3 224.0.0.252 LLMNR 64 Standard query 0xc5cc A wpad
969 23.860862000 192.168.1.3 224.0.0.252 LLMNR 64 Standard query 0xc5cc A wpad
983 24.081085000 192.168.1.3 192.168.1.255 NBNS 92 Name query NB WPAD<00>
1848 33.342893000 192.168.1.3 192.168.1.2 LLMNR 130 Standard query response 0x6cec PTR 192.168.1.3
50289 2156.820846000 192.168.1.3 239.255.255.250 SSDP 167 M-SEARCH * HTTP/1.1
_____________________________________________________________

Netbios wasn't disabled at the time during the logged requests.

192.168.1.3 is running Linux. Is it possible that it has SAMBA requesting these packets?

Any suggestions, advice, comments appreciated.

Author: Intnull0 PostPosted: Fri Dec 28, 2012 6:40 pm    Post subject:
    ----
Looks like .3 is broadcasting on port 137 (netBIOS names) querying for the DNS entry for WPAD (web proxy autdiscovery protocol) which will tell the requestor how to get to the Internet. Most likely nothing but I would see why/where the .3 machine is trying to connect to on the Internet.



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group