• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Strange Network Activity

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Charles_Bethune
Just Arrived
Just Arrived


Joined: 24 Sep 2012
Posts: 1


Offline

PostPosted: Mon Sep 24, 2012 10:24 pm    Post subject: Strange Network Activity Reply with quote

I have a Microsoft Windows 7 box on a network

Local IP (192.168.1.2)
Gateway (192.168.1.1)

And I have noticed strange port 137 requests and other strange activity from a particular IP which is not in the trusted scope.


Windows firewall revealed

2012-09-24 21:30:30 DROP UDP 192.168.1.3 224.0.0.252 50937 5355 50 - - - - - - - RECEIVE
2012-09-24 21:30:30 DROP UDP 192.168.1.3 192.168.1.255 137 137 78 - - - - - - - RECEIVE
2012-09-24 21:30:31 DROP UDP 192.168.1.3 192.168.1.255 137 137 78 - - - - - - - RECEIVE
2012-09-24 21:30:31 DROP UDP 192.168.1.3 192.168.1.255 137 137 78 - - - - - - - RECEIVE

_____________________________________________________________

TCPDump logs

834 23.183712000 192.168.1.3 255.255.255.255 DHCP 342 DHCP Inform - Transaction ID 0x9a44e4ed
959 23.761281000 192.168.1.3 224.0.0.252 LLMNR 64 Standard query 0xc5cc A wpad
969 23.860862000 192.168.1.3 224.0.0.252 LLMNR 64 Standard query 0xc5cc A wpad
983 24.081085000 192.168.1.3 192.168.1.255 NBNS 92 Name query NB WPAD<00>
1848 33.342893000 192.168.1.3 192.168.1.2 LLMNR 130 Standard query response 0x6cec PTR 192.168.1.3
50289 2156.820846000 192.168.1.3 239.255.255.250 SSDP 167 M-SEARCH * HTTP/1.1
_____________________________________________________________

Netbios wasn't disabled at the time during the logged requests.

192.168.1.3 is running Linux. Is it possible that it has SAMBA requesting these packets?

Any suggestions, advice, comments appreciated.
Back to top
View user's profile Send private message
Intnull0
Just Arrived
Just Arrived


Joined: 28 Dec 2012
Posts: 3


Offline

PostPosted: Fri Dec 28, 2012 6:40 pm    Post subject: Reply with quote

Looks like .3 is broadcasting on port 137 (netBIOS names) querying for the DNS entry for WPAD (web proxy autdiscovery protocol) which will tell the requestor how to get to the Internet. Most likely nothing but I would see why/where the .3 machine is trying to connect to on the Internet.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register