Okay, we just got a 3com office connect router. I have been looking through the logs and their is a mysterious IP trying to access the internet:
IP spoof detected 192.168.0.48, 137, LAN 64.49.216.149, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 12:41:10.528
IP spoof detected 192.168.0.48, 137, LAN 205.158.35.113, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 13:00:27.256
IP spoof detected 192.168.0.48, 137, LAN 208.34.32.7, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 13:04:22.112
IP spoof detected 192.168.0.48, 137, LAN 64.49.216.149, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 13:51:57.384
This is just one of them, we get about 3-4 a day. This 192.168.0.48 is out of our range of addresses that we assign. We assign 192.168.0.70-95 for printers and 192.168.0.100-200 for users. Another odd thing is every address this .48 tries to contact has no DNS or name records on the internet. As you can see it is using port 137 which is Netbios and I have heard that worms use this to access the internet?
Any help on this quandry would be greatly appriciated, Thanks