General discussion

Locked

DS Packets Flooding the Network

By Baadil ·
Hi,

On my network I have a few Win2K Pro machines flooding the network with packets going to the DC. I am attaching a couple of packets captured with sniffer. Mainly, I see a packet of CIFS/SMB tpye which contains only a few bytes of actual data and rest is all padding. Then after that, I see 10-11 packets which have even less data and more padding. These additional packets show that they are SMB continuation of the first frame. This continues on and keeps flooding the network.

Could someone please help me find out what these packets are all about and how do I get rid of them?
Thank you.

Frame Status Source
Destination
Bytes Rel
Delta Time Abs time Summary
-------------------------------------------------------
1 M [192.168.5.2] [192.168.20.3]
1514 0:00
0.000.000 11/03/2003 05:41:47 PM CIFS/SMB: C Write AndX H=C017
Bytes=16580, Start
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 17:41:47.0858; frame size is 1514 (05EA
hex) bytes.
DLC: Destination = Station BellSy4515BE
DLC: Source = Station 333802A2D9
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP:000. .... = routine
IP:...0 .... = normal delay
IP:.... 0... = normal throughput
IP:.... .0.. = normal reliability
IP:.... ..0. = ECT bit - transport protocol will ignore the
CE bit
IP:.... ...0 = CE bit - no congestion
IP: Total length= 1500 bytes
IP: Identification = 30871
IP: Flags = 4X
IP:.1.. .... = don't fragment
IP:..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live= 128 seconds/hops
IP: Protocol= 6 (TCP)
IP: Header checksum = 272E (correct)
IP: Source address = [192.168.5.2]
IP: Destination address = [192.168.20.3]
IP: No options
IP:
(More of Packet in comments)

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Baadil In reply to DS Packets Flooding the N ...

TCP: ----- TCP header -----
TCP:
TCP: Source port = 3832
TCP: Destination port= 445 (Microsoft-DS)
TCP: Sequence number = 1895855554
TCP: Next expected Seq number= 1895857014
TCP: Acknowledgment number = 1073668041
TCP: Data offset = 20 bytes
TCP: Reserved Bits: Reserved for Future Use (Not shown in the Hex
Dump)
TCP: Flags = 10
TCP:..0. .... = (No urgent pointer)
TCP:...1 .... = Acknowledgment
TCP:.... 0... = (No push)
TCP:.... .0.. = (No reset)
TCP:.... ..0. = (No SYN)
TCP:.... ...0 = (No FIN)
TCP: Window = 63373
TCP: Checksum= 9CCB (correct)
TCP: Urgent pointer = 0
TCP: No TCP options
TCP: [1460 Bytes of data]
TCP:
SMBTCP: ----- CIFS TCP Transport header -----
SMBTCP:
SMBTCP: Reserved (MBZ)= 0
SMBTCP: SMB Packet Length= 16644
SMBTCP:
SMB: Vector Offset LengthFrame
SMB: ----------------------------------
SMB:0 0x003A 14561
SMB:1 0x003A 14562
SMB: ----------------------------------

SMB: 2**2 bytes of re-assembled data.
SMB:
SMB: ----- SMB (CIFS) Write AndX Command header -----
SMB:
SMB: SMB Constant
SMB: Command= 2F (Write AndX)
SMB: Reserved = 0
SMB: Flags = 18
SMB: 0... .... = Client Command
SMB: ..0. .... = No Opportunistic file Locking
SMB: ...1 .... = Pathnames are already in canonicalized format
SMB: .... 1... = Pathnames should be treated as caseless
SMB: .... ..0. = Send.No.Ack can not be used as a response
SMB: .... ...0 = Doesn't support Lock&Read, Write&Unlock
SMB: Flags2 = C807

Collapse -

by Baadil In reply to DS Packets Flooding the N ...

SMB: 1... .... .... .... = STRING type is UNICODE
SMB: .1.. .... .... .... = 32-bit NT status code
SMB: ..0. .... .... .... = No Paging IO
SMB: ...0 .... .... .... = No DFS support
SMB: .... 1... .... .... = Client aware of extended security
SMB: .... .... .... .1.. = Use message authentication
SMB: .... .... .... ..1. = Client supports extended attributes
SMB: .... .... .... ...1 = Client supports Long file names
SMB: Process ID (High) = 0000 (Complete PID = 0000FEFF)
SMB: Security Signature = A87B7201124E6ED1
SMB: Reserved (MBZ) = 0000
SMB: Tree ID= 200C
SMB: Process ID = FEFF
SMB: Unauth User ID = D800
SMB: Multiplex ID= 7CC1
SMB:
SMB: ----- Write AndX Header -----
SMB:
SMB: Word count = 14
SMB: Parameter words=
FF00DEDE17C0F4490300FFFFFFFF010000000000C44040000000
SMB: Byte Count = 16581
SMB: Byte parameters=
EE00000000000000000000000000000000000000000000000000
SMB: AndX command= FF (End of chain)
SMB: AndX reserved(MBZ) = 00
SMB: AndX offset= DEDE
SMB: File handle = C017
SMB: Starting at file offset = 215540
SMB: Timeout = Indefinite wait
SMB: Write mode = 0001
SMB: .... .... .... 0... = Not start of message (pipes only)
SMB: .... .... .... .0.. = Don't use WriteRawNamedPipe (pipes
only)
SMB: .... .... .... ..0. = Don't return smb_remaining
(pipes/devices only)
SMB: .... .... .... ...1 = Complete write before return
SMB: Count left= 0
SMB: Reserved(MBZ)= 0000
SMB: Bytes in this buffer = 16580
SMB: Relative offset of data = 64
SMB: Starting offset(MSL) = 0
SMB: 64-bit start offset = 215540
SMB: Byte Count = 16581
SMB: Data=
000000000000000000000000000000000000000000000000000000000000
SMB:

Collapse -

by Joseph Moore In reply to DS Packets Flooding the N ...

I am going with a viral infection on your workstations, but probably not Blaster or Welchia. Blaster used source ports 666 or 4177, not what you have listed as a source port. But yes, there are port 445 viruses/trojans. Randex was one. An IRC/Flood was another. Another was the Deloader worm. Go here for port 445 info from SANS:
http://isc.sans.org/port_details.html?port=445

So, I would do fully updated antivirus scans of the workstations and the server, make sure everything is also current on patches, check for spyware.

Good luck.

Collapse -

by Baadil In reply to

Unfortunately, after the checks I did not see any infections.

Thank you.

Collapse -

by Kinetechs In reply to DS Packets Flooding the N ...

Hi,
Joe is right on the money!

Network Associates (www.nai.com) has a free product called Stinger. It's a great tool, fits on a floppy, and will scan the machine for various infections then remove them. Do a search on their site and download it. Booting in Safe Mode and running Stinger will bypass most of the infections.

Make sure you do a bit of research on each bug it finds. That way, you can plug the hole behind you. Sometimes you need to patch the machine and sometimes it's something as simple as a weak admin password...at the domain level or locally.

Good luck,
Sean

Collapse -

by Baadil In reply to

Thank you for your reply but the system came out clean. no infections.

Collapse -

by Baadil In reply to DS Packets Flooding the N ...

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums