Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Has anyone seen this 445 traffic before? Not sure if virus/malware/MS crapware

Status
Not open for further replies.

DrB0b

IS-IT--Management
May 19, 2011
1,420
US
445traffic_dkswhb.jpg

See the photo above. We have a ton of 445 - SMB traffic going to 192.168.100.x, 192.168.101.x, and 192.168.5.x address even though those networks do not exist. The firewall is blocking all of the requests but it is unnecessary traffic on the network. I know ransomware will operate and move subnets via 445 but also I know some windows services utilize that port, like printer and file sharing which we do have enabled. I would Wireshark the data but I don't know what else I will find out about it in doing so as I know that almost all PCs in our building are doing this and going to these not real IPs. We have Trend Micro across all PCs in the domain and have ran various other malware/virus/trojan seeking apps and nothing is ever found.

Any thoughts? I'm hoping it is Windows 10 doing something funky or trying to query around and see who else is allowing SMB traffic. I only really see these 192.168.x.x fails as any of the successful 445 traffic is actually legit.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Do you have a linux server somewhere?
 
One VM and one physical on the 10.0.4.x scheme. I believe SAMBA may have something to do with it. I was going around and disabling file and printer sharing and network discovery for some machines that were displaying the 445 SYNs but I dont think that stopped any traffic.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Thanks Beilstwh for the info. We do have 445 blocked from the outside world. We are in a Active Directory environment. We do utilize printer and file sharing, such as mapped drives from file servers. I am under the assumption that 445 has to be enabled for this to function internally. I will look into this a little deeper and run some tests on it disabled but if anyone has any details, please post.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top