• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Spoofed source address

L

LuckyTaxi

Diamond Member
Take a peek at this. Can't be a virus since we're pretty good with this stuff.

---------------------------------------------------
02/14/05 10:02 firewalld[105]: deny out eth1 78 udp 20 128 10.1.1.63 10.1.1.255 137 137 (spoofed source address)

02/14/05 10:02 firewalld[105]: deny out eth1 78 udp 20 128 10.1.1.163 10.1.1.255 137 137 (spoofed source address)
---------------------------------------------------

Lots of IP addresses listed. I read on google that these clients can't find the DHCP server and it resorts to the default broadcast ip address 10.1.1.255. I triple check the DHCP/DNS server which also acts as the Active Directory server. It all seems fine. Could it be a virus?


 
absolutely could be a virus and probably is. ping those IPs and see if they are even real.

then you can go into the router on that subnet and check the arp table to see if it has a mac address for that IP. From the MAC you can get the switch port from the switches CAM table.

disable the port and see who calls.

edit, if I'm reading that right its port 137 which is netbios (looking for subnet master browser probably) and is normal behavior on windows networks. But if these really are spoofed IP addresses that ain't normal.
 
I read on google that these clients can't find the DHCP server and it resorts to the default broadcast ip address 10.1.1.255.
Click to expand...

Not everything on google is gospel. Port 137 is Windows networking in Win9X, if there's no WINS servers configured the box will broadcast out to find the master browser and get a workgroup list.

Chances are this is just a misconfigured machine, probably something someone brought in from home and plugged in without thinking.
 
Originally posted by: Nothinman
I read on google that these clients can't find the DHCP server and it resorts to the default broadcast ip address 10.1.1.255.
Click to expand...

Not everything on google is gospel. Port 137 is Windows networking in Win9X, if there's no WINS servers configured the box will broadcast out to find the master browser and get a workgroup list.

Chances are this is just a misconfigured machine, probably something someone brought in from home and plugged in without thinking.
Click to expand...

FYI - all MS clients (2K, XP, et) will do this broadcasting not matter what.

I know, they are a hyrbrid node (even with netbios name servers configed) and they are not supposed to or they don't have netbios loaded. But they still broadcast like a mug.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top