Announcement

Collapse
No announcement yet.

Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

    Hi guys,

    I am setting up Win 2008 SP1 as a standalone server.
    A while after I originally installed it I noticed some strange connections on my network.

    All coming from my server over port 139 to IP addresses 192.168.9.1 and 192.168.10.1 - those 2 IP addresses do not exist on my network at all.

    Thos would happen every 2 seconds or so and would never stop. I have monitored my server for 3 days and those connections kept happening.

    I thought it might be a program on my server - so I started stopping applications, terminating exes running, and stopping services etc - nothing helped.

    Since my internal network is on 192.168.X.X I thought there might be a Trojan or something on my server. Did some scanning as well which revealed nothing.

    I decided to cut my losses and back up all my data and start again.
    So I reinstalled. I have checked for those weird connections early on after reinstall and they werenít there. So I went ahead starting to reinstall my apps, windows updates, etc. Eventually those connections came back.

    So I reinstalled again. This time deciding to stop and monitor my server after finishing Windows configuration. And again those connections came back. So now it was clear to me that those calls were made from within Windows and had nothing to do with my applications. Pretty weird I thought especially after doing a search on the net didnít find anyone asking questions about this.

    Anyway to cut the story short after investigating for a while it all came down to network settings and partially windows firewall.

    If I customize my network (under network settings) and make it private then file sharing is turned on (I allow it through the windows firewall). That is when my PC wants to connect to those IP addresses over port 139.

    If I manually turn OFF file sharing those connections do not show anymore.

    I can see the connections doing a netstat -a in cmd and via TCPView from Sysinternals.

    I have the pics below to show:















    Now I really would like to know why Windows is making (or trying to make those connections). What are those IP addresses?
    How can I stop those connections from happening? (Turning file sharing off is not good enough as it nobody then can get to the files on the server). It seems that using Windows firewall to block/allow file sharing has the same effect as enabling/disabling the setting manually.

    Can anyone replicate this behavior?

    Looking for help guys on this weird issue.

    Thanks

  • #2
    Re: Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

    Those IP addresses are non routeable IP addresses on the internet.
    Are you sure that no one has those ip addresses on your internal segment and/or via VPNs?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

      Hi, thank for your reply.

      I know the IPs are not routable. They are all within the subnet I am running on my network but no device has those IP assigned - I know this as a fact.

      Furthermore, as I have said before regardles if those IP exist or not, the traffic seem to originate from the fresly installed server.

      I am very curios if anyone can duplicate this issue.

      Comment


      • #4
        Re: Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

        Have you tried disabling IPv6? I know it's not an IPv6 address but you never know.

        Comment


        • #5
          Re: Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

          Hi,

          Yes just tried that. Made no difference at all. Same issue.

          Comment


          • #6
            Re: Windows 2008 SP1 (standard standalone no AD) file sharing issue/question

            Is this a private network (as in a home one), test network or a production network? If production see if anyone has a wireless connection on their laptop that is broadcasting DHCP addresses.
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment

            Working...
            X