[Dshield] W2K domain controller scans

Alexander Rayborn alexander at red-abstract.com
Tue Oct 30 17:15:55 GMT 2001


This looks to me like it's trying to connect to itself.  The 169.254.x.x
address is automatic private addressing, which means an adapter (most
likely on the DC itself) tried to obtain an IP address from a DHCP
server and failed.  If this DC is running two ethernet controllers, then
you probably have one considered the internal and the other considered
the external.  Looks like your external adapter is trying to contact a
DHCP server and failing, giving you the auto-private IP address (the
169.254.x.x).

--Alexander

> -----Original Message-----
> From: dshield-admin at dshield.org 
> [mailto:dshield-admin at dshield.org] On Behalf Of Ryan J Betz
> Sent: Tuesday, October 30, 2001 8:35 AM
> To: dshield at dshield.org
> Subject: [Dshield] W2K domain controller scans
> 
> 
> Lately I've been seeing my W2K DC trying to connect to what 
> appears to be a reserved IP address:
> 
> Oct 30 07:28:43 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 
> I=44492 F=0x4000 T=127
> (#38)
> Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 
> I=44519 F=0x4000 T=127
> (#38)
> Oct 30 07:28:46 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:4841 L=40 S=0x00 
> I=44520 F=0x4000 T=127
> (#38)
> Oct 30 07:28:52 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:4841 L=48 S=0x00 
> I=44548 F=0x4000 T=127
> (#38)
> Oct 30 07:28:52 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:4841 L=40 S=0x00 
> I=44549 F=0x4000 T=127
> (#38)
> Oct 30 07:34:53 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:3130 L=48 S=0x00 
> I=45834 F=0x4000 T=127
> (#38)
> Oct 30 07:34:56 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:3130 L=48 S=0x00 
> I=45855 F=0x4000 T=127
> (#38)
> Oct 30 07:34:56 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:3130 L=40 S=0x00 
> I=45856 F=0x4000 T=127
> (#38)
> Oct 30 07:35:02 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:3130 L=48 S=0x00 
> I=45885 F=0x4000 T=127
> (#38)
> Oct 30 07:35:02 gateway kernel: Packet log: output DENY eth0 
> PROTO=6 192.168.0.88:139 169.254.101.152:3130 L=40 S=0x00 
> I=45886 F=0x4000 T=127
> (#38)
> 
> I suppose this could be some kind of LM browse announcement 
> or something along those lines.  Is something misconfigured 
> or is this just normal?  If need be I can capture some of 
> these if it's not something obvious.
> 
> Thanks for any help,
> Ryan J Betz  (not an MCSE)
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshie> ld
> 




More information about the list mailing list