Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface

re: A worm seems unlikely with the timeline you laid out.
Any other suggestions about why these extraneous packets started being
generated?

re: Regardless, DON'T BROWSE FROM THE SERVER!!!!!
Yes I agree it is a bad idea ... but, I did ... it seemed like the right
thing at the time (WAN was being `throttled' by the phone company)

re: Okay, here is the first real inconsistency. If the SBS machine is not
acting as a gateway then there really isn't such a thing as a LAN vs WAN
NIC. I suspect you have some significant topology issues and may have even
introduced a loopback into your scenario. This, coupled with what you've
laid out below, would imply that you have THREE LAN NICs??!?? I couldn't
even begin to troubleshoot such an odd configuration remotely without
thorough documentation.

It's really not that unusual, and we don't need to trouble shoot the LAN
configuration. There really are 2 physical LANs with separate private IP
Range Class C networks that use the SBS2003 server for SMTP services and
file sharing, only 1 of these uses the full range of SBS2003 functions ...
and ONLY 1 WAN interface on the SBS2003 server.

In any case, the LAN/WAN/NIC configuration is not an issue ... with both LAN
NICs disconnected the WAN interface continues to generate NBT/NS queries
using port 137 without any indication of network activity in the Netstat
output ... all of these SMB packets are blocked by the router connected to
the WAN interface. I am just annoyed that somehow this server was
successfully attacked and I want to find out more about the program that is
generating this extraneous traffic ... and maybe how it got into the system.

I now know of two `dumb things' that were done with this server before this
problem was first noticed:

1) I used the server webbrowser to run several speed tests, and to download
some files ... while diagnosing a WAN IP traffic flow issue ... about 7 to
10 days before the problem was first noticed.

2) Someone else (I just found out today) attempted to install a USB 56K
MODEM (purchased from eBay - Hong Kong) ... installed the device drivers
intended for WinXP because there were no Win2003 drivers, but the MODEM
didn't work ... device drivers were not `un-installed' ... not sure of the
timing of this event but it was closer to the date of the first reported
instance of the appearance of the extraneous NBT/NS packets.

.... I think I will more closely inspect the CD that these drivers came from
.... as soon as I get my hands on it :(


"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:VZCdnU8aA93K3GvVnZ2dnUVZ_tninZ2d@xxxxxxxxxxxxxx
Okay, first we need to clear up som inconsistencies, so read inline:


*** Well ... I have used the Web Browser to access some speed test sites
in
the past (these have advertising embedded) ... and a few others that I
assumed were safe, while looking info to help with a previous networking
issue on the SBS2003 server itself (problem turned out to be IP Packet
blocking and 'traffic management' - denial of access between the server
and
it's remote users by the local phone company ... within the DSL link to
the
ISP) ... mostly Microsoft websites. But not for at least 10 days before
the
problem was first detected ... seemed like the best way at the time ... I
access the server with RWW and RDP through a VPN ... when I wanted to
cut-n-paste info between sessions I thought it would be "safe" to use the
Server's Web Brower. A virus could have been embedded in one of the
advertisements ... but if this was the infection source, the payload did
not
activate for over a week ... which seems kind of strange, but certainly
possible.

A worm seems unlikely with the timeline you laid out. Regardless, DON'T
BROWSE FROM THE SERVER!!!!!

*** There are actually 2 LAN (Gbit) NICs and 1 WAN (100MBit) NIC ... the
problem continues even when the LAN NICs are disconnected.

SBS doesn't support 3 NICs. You will have problems with this
configuration. Why do you have 2 LAN NICs? This seems incredibly
inefficient. Without knowing *a lot* more about your topology, this alone
could be a source of problems. Even if you need to segment your LAN, you
should do so with a good managed switch and VLANs. But if you are trying
to get 2 gigs off the LAN then you are trying to do port aggregation,
which again, to my knowledge SBS does not support.

*** I didn't run a Packet sniffer on the LAN for this problem ... but I
did
disconnect the LAN interfaces and the problem continued ... the SBS2003
server is not serving as the Gateway on the LAN ... there is another
external router to a different IP for that purpose ... there is lots of
SMB
traffic on the LAN ... and some of it is illegitimate, it would be very
difficult and time consuming to attempt to find a match for the unwanted
packets that are leaving the SBS2003 WAN interface ... disconnecting the
interface for a few hours seemed like a better way to eliminate this
potential source of the unwanted packets.

Okay, here is the first real inconsistency. If the SBS machine is not
acting as a gateway then there really isn't such a thing as a LAN vs WAN
NIC. I suspect you have some significant topology issues and may have
even introduced a loopback into your scenario. This, coupled with what
you've laid out below, would imply that you have THREE LAN NICs??!?? I
couldn't even begin to troubleshoot such an odd configuration remotely
without thorough documentation.

*** A great idea ... I did not think of sysinternals ... I will try to
find
out if I can run this tool on the server very soon ... thank you.

Feel free to reply back once you've done this and have more info.

-Cliff




.

Relevant Pages

  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... > My LAN is configured with static IP addresses, ... > I have full connectivity with the internet from every machine on my ... > # Allow out access to my ISP's Domain name server. ... > # Interrogate packets originating from the public internet ...
    (freebsd-questions)
  • Re: Seeing outside IP address when inside
    ... The main motivation for doing this is access to my FTP server: ... packets, so my FTP server uses a LAN IP address. ... passing it back out on the LAN interface to the NAT'd ...
    (uk.telecom.broadband)
  • Re: Binding A Server To A Specific IP Address
    ... Assign the public IP to the wan interface on ISA. ... Put the SMTP server on your LAN. ... Make its default gateway ISA's LAN ...
    (microsoft.public.isaserver)
  • Re: Problems while changing to new dsl-router.
    ... there's no way the return packets can find their way back. ... how is it that the server (which of course is behind the ... And since I do can reach the router from the LAN, ... You say in a previous post that you can't ping the router from the lan if you delete the static route to the lan in the router. ...
    (comp.unix.bsd.freebsd.misc)
  • FreeBSD Dial up server
    ... I've been trying to set up an ISP like setup for a home lan. ... in client use cable modem to access the internet and other lan clients. ... I've gone right back to basics and added the sample server section from the ... In ipnat.rules there is a map command used to map all the packets going out ...
    (freebsd-questions)
Loading