The last couple of IPs are from Microsoft...
Just another suggestion, don't throw your IP addresses around. Especially
on a MS Proxy box. I'm sure there are all kinds of losers reading lists
like this waiting for an address or a url that they can try to break in to.
Steve Jacobson <[EMAIL PROTECTED]> on 09/22/2001 09:02:33 PM
Please respond to NT System Admin Issues
<[EMAIL PROTECTED]>
To: NT System Admin Issues <[EMAIL PROTECTED]>
cc:
Subject: Please help me understand this
I really would appreciate it if one of you learned folks could help me
understand this.
I am running a dual processor Win2K machine with dual Ethernet cards. One
card is connected to the Internet via a DSL line, and the ip address is
209.42.32.74. The other Ethernet card is connected to an internal LAN, and
its ip address is 10.1.2.2. I use MS Proxy 2.0 as a NAT and firewall on
this machine, and the 10.x.x.x address space is defined in the Proxy
tables.
I am also running MS Exchange 5.5 on this machine as my e-mail server.
Netbios name resolution is running on the internal LAN, but not on the
segment connected to the Internet. Proxy is set to block port 137
(Netbios).
My question is when I examine the packet filter logs, I see that address
10.1.2.2 is attempting to send a netbios request to some external machine
on
the Internet. This is a fragment from the logs:
9/22/2001, 0:59:37, 10.1.2.2, 210.144.23.58, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 0:59:39, 10.1.2.2, 210.144.23.58, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 2:03:04, 10.1.2.2, 207.90.4.67, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 2:03:06, 10.1.2.2, 207.90.4.67, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 2:05:22, 10.1.2.2, 195.14.133.252, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 2:05:24, 10.1.2.2, 195.14.133.252, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 7:15:36, 10.1.2.2, 199.172.144.25, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 7:15:38, 10.1.2.2, 199.172.144.25, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 8:52:27, 10.1.2.2, 64.85.93.144, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
9/22/2001, 8:52:28, 10.1.2.2, 64.85.93.144, Udp, 137, 137, -, 0,
209.42.32.74, -, -,
I have no clue who the external machines belong to (I can find the IP
block,
but it doesn't tell me what the machine is doing), why my server is trying
to send them a netbios packet, or what service on the Win2K box is
attempting to send the packet. I suspect, however, that Exchange is
attempting to connect to another machine somewhere.
If someone could enlighten me on what is going on, I would really
appreciate
it. I would like to keep the Win2K machine from even trying to send any
netbios requests.
Thanks in advance.
Steve Jacobson
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
