×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Curious network activity over port 445

Curious network activity over port 445

Curious network activity over port 445

(OP)
Hello All,
So I have noticed some odd behavior on our main LAN that is trying to talk out to another subnet that doesn't exist. This may have been a subnet that existed before I was hired on. It is trying to talk via 445 from a ton of PCs on our network. The first screenshot is of our firewall blocking the traffic as it doesn't know where to route it. The second screenshot is wireshark from a PC that is trying to talk to 192.168.5.10 via 445. I don't really see any other funky activity other than these. It seems sporadic in when it tries to reach out to this ghost network. We have antivirus company wide, I have ran rkill, tdsskiller, and MBAM against multiple machines and nothing comes up. Am I chasing something that is legit but configured incorrectly? Is it just a 445 request so the AV is ignoring? I'm not sure what program to run to see exactly what service/executable is calling the 445 request. Any thoughts?

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

RE: Curious network activity over port 445

(OP)
I did just catch this with a Netstat -b which points to a MS operation. The 192.168.100.x and 192.168.101.x are subnets for our Blade servers and NAS to talk on. Not sure why this PC would be interested in it though.


Ive looked at Autoruns and dont see anything fishy there either.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

RE: Curious network activity over port 445

>Can not obtain ownership information

That's fishy. Do malware scan or something. There is an item messing with your ports or something just malfunctioned - idk. When I check my ports it never does that. Something you downloaded may have made your TCP listening ports 192.168.100.x and 192.168.101.x but that is the only thing I can think of.

Sincerely,
Bob Space

RE: Curious network activity over port 445

Well, SYN-SENT is a request for connection (which fails as it's blocked by your firewall) so further SYN-SENT segments are sent. So you could look for what process is responsible for retransmitting the SYN-SENT segments.

Perhaps use Sysinternals/TechNet's Process Monitor (ProcMon) with 2 filters set: 1) Event Class > is > Network > Include and; 2) Operation > is > TCP Retransmit > Include... then start a capture. (I would set ProcMon to Drop Filtered Events to reduce swapfile usage.)

Perhaps even easier is to use Nir Sofer's CurrPorts then use F9 to open Advanced Filters and add include:local:tcp:445 as a filter then, in Options > State Display Filter set it to only Display Syn-Sent.

Hope this helps...

RE: Curious network activity over port 445

(OP)
@iambob - I listed above all of the AV/AM I ran before posting here. Ran rkill, tdsskiller, MBAM, and two dif AV scans but nothing pops.

@Rick998 - I tried ProcMon but not with the filters as you list. Will give that a shot after Currports which is currently running. I love nirsoft, they have everything......

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

RE: Curious network activity over port 445

(OP)
@Rick998 - Well I tried with Currports and it never saw the traffic regardless what filters I had enabled. I am trying with Procmon now but it doesn't appear to see the traffic either. I can see on my firewall when the calls are being attempted and then getting denied but the call is at least leaving the host PC so I would think I would see that in either program.......

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

RE: Curious network activity over port 445

(OP)
@Rick998 - Even tried Procmon with just the first filter and did an F4 for 192.168 and nothing showed even though my firewall states it tried to connect twice....... I am even more confused now.....

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

RE: Curious network activity over port 445

@DrB0b - My apologies but I don't know what else to suggest... except perhaps looking at stored ARP tables and, on a test device, flushing its arp cache then monitoring any further port 445 activity.

Hope this helps...

RE: Curious network activity over port 445

(OP)
@Rick998 - Yeah this is a stumper for sure. I'm half temped to create this ghost subnet with a new PC/VM and open it between a known clean PC and it to see the traffic actually go all the way though and catch on other end to see what it is requesting. Other than that, I'm about out of ideas. Thanks for the assistance either way.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close