machinetype
IS-IT--Management
Okay,we recently got a 3com office connect router. I have been looking through the logs on a daily basis and keep coming across an internal address of 192.168.0.48 trying to get out to the internet. I can ping this address from one of the BDC's which is the DHCP server but no other machine on the network can ping 192.168.0.48 It claims it is an ip spoof. Here are a couple of the entries:
IP spoof detected 192.168.0.48, 137, LAN 12.96.223.135, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 17:11:51.320
IP spoof detected 192.168.0.48, 137, LAN 199.111.38.62, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 19:03:42.064
IP spoof detected 192.168.0.48, 137, LAN 63.214.184.81, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 19:45:59.288
IP spoof detected 192.168.0.48, 137, LAN 208.178.14.210, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 22:51:16.048
Note; these are only a few of them, this happens about 3-4 times a day. The port is 137, this is netbios and I have always heard that worms operate at this port number. After looking in the route table I see:
192.168.0.48 Mask 255.255.255.255 Gateway 127.0.0.1
So I do a reg search for 192.168.0.48 on this BDC and it comes up as a DHCP ip address under NdisWan6->parameters->Tcpip. Now remember this is the DHCP server but this is not it's address, we have never assingned anything in this range.
Also no other machine can ping this address except for this BDC.
So I am at a loss, I know, or assumed to know, that nothing actually gives itself it's own address. Any help with this quadry would be greatly appreciated!
SLM
IP spoof detected 192.168.0.48, 137, LAN 12.96.223.135, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 17:11:51.320
IP spoof detected 192.168.0.48, 137, LAN 199.111.38.62, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 19:03:42.064
IP spoof detected 192.168.0.48, 137, LAN 63.214.184.81, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 19:45:59.288
IP spoof detected 192.168.0.48, 137, LAN 208.178.14.210, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 22:51:16.048
Note; these are only a few of them, this happens about 3-4 times a day. The port is 137, this is netbios and I have always heard that worms operate at this port number. After looking in the route table I see:
192.168.0.48 Mask 255.255.255.255 Gateway 127.0.0.1
So I do a reg search for 192.168.0.48 on this BDC and it comes up as a DHCP ip address under NdisWan6->parameters->Tcpip. Now remember this is the DHCP server but this is not it's address, we have never assingned anything in this range.
Also no other machine can ping this address except for this BDC.
So I am at a loss, I know, or assumed to know, that nothing actually gives itself it's own address. Any help with this quadry would be greatly appreciated!
SLM