Security Basics mailing list archives
RE: Suspicious network activity advice
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Fri, 5 Jan 2007 08:36:00 +1000
If Dave's theory is correct, then any traffic capture that they did should be able to be correlated with messages that would come up in event viewer. Event ID's would be along the lines of 8021/8032/8033 and a few others that I can't remember offhand. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of davestout () hotmail com Sent: Thursday, January 04, 2007 10:55 PM To: security-basics () securityfocus com Subject: Re: Suspicious network activity advice I'm pretty sure it's just NetBIOS refreshing it's name database. With you running a developer machine I'm suspecting that your machine has inadvertantly become the NetBIOS master browser for your network. NetBIOS master browsers are normally the same machine as the Domain Controllers, but in certain situations an error can occur when another machine takes over as Master Browser after a browser election takes place. I had a similar problem when a Unix developer machine became the NetBIOS master browser due to an incorrectly configured machine. With this Unix machine not being in the Windows domain, we found that a whole section of our network was not reachable via NetBIOS name as the master browser is normally responsible for updating the records in the Domain controller. I no longer work for the company when I did the network traffic captures that caught this behaviour so am doing this from memory, but I'm sure that analysis of a network traffic capture would indeed show this error up in a matter of minutes. Just amazes me sometimes that people don't bother to capture network traffic as it normally contains the correct answers. Good luck and you were wrongly suspended imho dave --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Re: RE: Suspicious network activity advice levinson_k (Jan 02)
- <Possible follow-ups>
- RE: Suspicious network activity advice Jim Parkhurst (Jan 04)
- Re: Suspicious network activity advice davestout (Jan 04)
- Re: Suspicious network activity advice davestout (Jan 04)
- RE: Suspicious network activity advice Murda Mcloud (Jan 04)
- Re: Re: Suspicious network activity advice levinson_k (Jan 05)
- Monitoring System_DB Admin activities WALI (Jan 08)