Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Curious network activity over port 445

Status
Not open for further replies.

DrB0b

IS-IT--Management
May 19, 2011
1,431
US
Hello All,
So I have noticed some odd behavior on our main LAN that is trying to talk out to another subnet that doesn't exist. This may have been a subnet that existed before I was hired on. It is trying to talk via 445 from a ton of PCs on our network. The first screenshot is of our firewall blocking the traffic as it doesn't know where to route it. The second screenshot is wireshark from a PC that is trying to talk to 192.168.5.10 via 445. I don't really see any other funky activity other than these. It seems sporadic in when it tries to reach out to this ghost network. We have antivirus company wide, I have ran rkill, tdsskiller, and MBAM against multiple machines and nothing comes up. Am I chasing something that is legit but configured incorrectly? Is it just a 445 request so the AV is ignoring? I'm not sure what program to run to see exactly what service/executable is calling the 445 request. Any thoughts?
Firewall1_dblntn.jpg

Wireshark1_mjlnvc.jpg


Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
I did just catch this with a Netstat -b which points to a MS operation. The 192.168.100.x and 192.168.101.x are subnets for our Blade servers and NAS to talk on. Not sure why this PC would be interested in it though.
NetStat_dvkzfb.jpg


Ive looked at Autoruns and dont see anything fishy there either.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
>Can not obtain ownership information

That's fishy. Do malware scan or something. There is an item messing with your ports or something just malfunctioned - idk. When I check my ports it never does that. Something you downloaded may have made your TCP listening ports 192.168.100.x and 192.168.101.x but that is the only thing I can think of.

Sincerely,
Bob Space
 
Well, SYN-SENT is a request for connection (which fails as it's blocked by your firewall) so further SYN-SENT segments are sent. So you could look for what process is responsible for retransmitting the SYN-SENT segments.

Perhaps use Sysinternals/TechNet's Process Monitor (ProcMon) with 2 filters set: 1) Event Class > is > Network > Include and; 2) Operation > is > TCP Retransmit > Include... then start a capture. (I would set ProcMon to Drop Filtered Events to reduce swapfile usage.)

Perhaps even easier is to use Nir Sofer's CurrPorts then use F9 to open Advanced Filters and add include:local:tcp:445 as a filter then, in Options > State Display Filter set it to only Display Syn-Sent.

Hope this helps...
 
@iambob - I listed above all of the AV/AM I ran before posting here. Ran rkill, tdsskiller, MBAM, and two dif AV scans but nothing pops.

@Rick998 - I tried ProcMon but not with the filters as you list. Will give that a shot after Currports which is currently running. I love nirsoft, they have everything......

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
@Rick998 - Well I tried with Currports and it never saw the traffic regardless what filters I had enabled. I am trying with Procmon now but it doesn't appear to see the traffic either. I can see on my firewall when the calls are being attempted and then getting denied but the call is at least leaving the host PC so I would think I would see that in either program.......

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
@Rick998 - Even tried Procmon with just the first filter and did an F4 for 192.168 and nothing showed even though my firewall states it tried to connect twice....... I am even more confused now.....

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
@DrB0b - My apologies but I don't know what else to suggest... except perhaps looking at stored ARP tables and, on a test device, flushing its arp cache then monitoring any further port 445 activity.

Hope this helps...
 
@Rick998 - Yeah this is a stumper for sure. I'm half temped to create this ghost subnet with a new PC/VM and open it between a known clean PC and it to see the traffic actually go all the way though and catch on other end to see what it is requesting. Other than that, I'm about out of ideas. Thanks for the assistance either way.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top