Make a backup of your lmhosts file, and remove the outer urls in your lmhosts file. Restart your server
Main Topics
Browse All TopicsIf I do a nbtstat -C on my pdc, it'll give me
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
--------------------------
218.106.114.212 <00> UNIQUE 218.106.114.212 420
222.47.94.18 <00> UNIQUE 222.47.94.18 540
MS-100 <00> UNIQUE 10.0.0.246 300
JSPNRMPTGSBSSDI<52> UNIQUE 10.0.0.2 -1
DDP3G741 <00> UNIQUE 10.0.0.244 240
MTLACCOUNTING <03> UNIQUE 10.0.0.3 540
RECKZIEGELK <03> UNIQUE 10.0.0.247 300
I noticed a entry for JSPNRMPTGSBSSDI for the 10.0.0.2 IP address in the lmhosts file with a #PRE flag. If I look at the modified date, it is a long time ago when the network was built and I was not the administrator of this network. Why would the old guy put a strange name-to-IP like that?...for testing? 10.0.0.2 is the IP address of my PDC, which has another name.
I don't know were 218.106.114.212 and 222.47.94.18 comes from though. All other name are fine, they are client/server names in my network.
Is it normal to see outside IPs in the cache? In what situation would I see that?
My server is configured as an Exchange 5.5 serer, proxy server, dns server file/print server... I know, it is not good to have all the services in there, but this is a Small Business version of NT.
It was also upgraded to Terminal Server Edition... the terminal services are obviously disabled because it was not secure.
In my firewall logs, I can see that requests on port 25 (SMTP) are made throught the day for those 2 external IP... so my mail server connects to their mail server on port 25. I know that my users don't send messages in the night.
I did a WhoIs on those IPs and it gives me something that is located in China for both...
Makes me think that it is a Spam problem... but again, my mail server is not open relay.
Hope you can clarify things for me!!!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
LMHOSTS file is used to Locate Multiple Preferred Logon Servers
http://support.microsoft.c
Here is what I know on the netbios name cache you are looking at.
When a machine makes an outbound or receives an inbound netbios connection, both machines would have an entry in its netbios name cache. The Life [sec] column counts down from 600 seconds from the connection taking place. So, in your posted example, your mail server received a netbios connection either from or to 218.106.114.212 2 minutes before you ran the nbtstat -c command.
Now, this also includes not only a drive mapping/accessing a shared folder, but even doing a netbios name lookup. So, from a port standpoint, this includes TCP port 139 and/or 445, AND UDP port 137 and 138. Those are all of the netbios ports (well, technically, TCP port 445 is SMB, but it works the same).
So, that is the deal.
Can you have a connection in the netbios cache that resolves to a machine outside of your LAN? Yes. Sure. If you do a netbios connection on an outside machine, or if you let the outside machine look at your server, then that's gonna record in the netbios cache.
Now, to think about exactly why you have these two entries in your Exchange server. I have to ask if this Exchange server is properly firewalled from the Internet? Do you let any Internet-based machines connect to the Exchange server on the ports I listed above? If so, then that would explain it.
Now, I don't run Exchange (I'm in a Domino shop) so I don't know how Exchnage works exactly, but I do know that Windows can act strange at times. I know that sometimes an IIS web server will do a reverse netbios lookup on clients that connect to it via HTTP. I've seen it myself. Weird, yes, but it does it. Also, 3rd party apps on a Windows machine also indirectly makes Windows act that way. For example, a Winamp Streaming server, when you first connect to it, will cause the Windows machine it is running on to do a netbios name lookup. I've seen that myself also.
So, maybe that is all that is going on. Maybe your Exchange server is either sending mail to those 2 IP addresses, or receiving mail from them, and in the process it is doing the netbios name lookups against them AND they are responding. Or, like I said before, maybe your Exchange server is not properly firewalled and those IP addresses are checking your server out!
Anyway, that's what I see here.
I blocked those 2 strange IPs at my firewall.
My mail server is actually trying to send things on port 25 at those 2 IPs.
If you look at http://www1.dshield.org/wa
I've had about 800 outgoing requests to those 2 IPs in the past 2 days.
All NetBios Ports are blocked at my firewall. Actually, only the ports required for regular services all allowed out or in. Everything else is denied by default. I don't use any streaming or particular program. Exchange only require port 25 and 110 for our use.
This seems to be a Spam or something problem. I don't know how, but my server is trying to initiate an outbound connection to those 2 IPs.
Did you study this url http://www.tryware.dk/Engl
It could be a malware on one of your computers.
Business Accounts
Answer for Membership
by: trywaredkPosted on 2004-05-11 at 14:27:13ID: 11044853
Cleaning your computer - and protecting it in the future - can't be answered with one issue.
ish/Knowle dgebase/ Ho wToProtect YourComput er.html
As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.
The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.
It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/Engl
BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open