[Dshield] W2K domain controller scans

Ryan J Betz ryanb at maumeepattern.com
Tue Oct 30 14:34:51 GMT 2001


Lately I've been seeing my W2K DC trying to connect to what appears to be a
reserved IP address:

Oct 30 07:28:43 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44492 F=0x4000 T=127
(#38)
Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44519 F=0x4000 T=127
(#38)
Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:4841 L=40 S=0x00 I=44520 F=0x4000 T=127
(#38)
Oct 30 07:28:52 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 I=44548 F=0x4000 T=127
(#38)
Oct 30 07:28:52 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:4841 L=40 S=0x00 I=44549 F=0x4000 T=127
(#38)
Oct 30 07:34:53 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:3130 L=48 S=0x00 I=45834 F=0x4000 T=127
(#38)
Oct 30 07:34:56 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:3130 L=48 S=0x00 I=45855 F=0x4000 T=127
(#38)
Oct 30 07:34:56 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:3130 L=40 S=0x00 I=45856 F=0x4000 T=127
(#38)
Oct 30 07:35:02 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:3130 L=48 S=0x00 I=45885 F=0x4000 T=127
(#38)
Oct 30 07:35:02 gateway kernel: Packet log: output DENY eth0 PROTO=6
192.168.0.88:139 169.254.101.152:3130 L=40 S=0x00 I=45886 F=0x4000 T=127
(#38)

I suppose this could be some kind of LM browse announcement or something
along those lines.  Is something misconfigured or is this just normal?  If
need be I can capture some of these if it's not something obvious.

Thanks for any help,
Ryan J Betz  (not an MCSE)




More information about the list mailing list