trojan81
asked on
SMB connection keeps getting established automatically
Experts,
My Windows 7 IP is 10.10.224.51
I have a decoy windows server 2008 with IP 10.10.41.26. I call it a decoy server because it is running an emulator that will alert if anyone connects to any tcp/udp service.
When I first brought online the decoy, from my workstation I connected via smb by going to //10.10.41.26
Now, every time I boot my computer or get a new IP address at another location within our LAN, I get an alert that my PC made a tcp/445 connection to the decoy. I have no idea where it is coming from. I have no mapped drives to the decoy.
This is the NBT stat:
C:\Users\pc>netstat -ano | findstr 445
TCP 10.10.224.51:62290 10.10.41.26:445 ESTABLISHED 4
Any ideas? it appears this connection is persistent.
My Windows 7 IP is 10.10.224.51
I have a decoy windows server 2008 with IP 10.10.41.26. I call it a decoy server because it is running an emulator that will alert if anyone connects to any tcp/udp service.
When I first brought online the decoy, from my workstation I connected via smb by going to //10.10.41.26
Now, every time I boot my computer or get a new IP address at another location within our LAN, I get an alert that my PC made a tcp/445 connection to the decoy. I have no idea where it is coming from. I have no mapped drives to the decoy.
This is the NBT stat:
C:\Users\pc>netstat -ano | findstr 445
TCP 10.10.224.51:62290 10.10.41.26:445 ESTABLISHED 4
Any ideas? it appears this connection is persistent.
Dave Baldwin
Apparently, NetbiosSmb (NetBIOS over SMB) is used in place of NetBIOS over TCP for device and computer discovery on the network. https://support.microsoft.com/en-us/kb/204279
ASKER
Dave, thanks for the comment, but I don't see how this addressed my question.
Even this morning when I came into the office and docked my pc, I got an alert that my PC made a tcp/445 connection to this decoy server. Something is automatically happening in the background and I don't know where to look. I have already rebooted both my pc and the decoy server so how could this connection remain persistent?
Even this morning when I came into the office and docked my pc, I got an alert that my PC made a tcp/445 connection to this decoy server. Something is automatically happening in the background and I don't know where to look. I have already rebooted both my pc and the decoy server so how could this connection remain persistent?
It directly addresses your question. That port is being used by Windows for 'discovering' the computers on the network. That happens automatically throughout the day. SMB is a service provided on the same port as Microsoft-DS (Directory Service).
ASKER
Maybe I didn't explain my problem correctly. The decoy server seems to only be detecting my computer making an SMB connection. Each time I get a new IP address (when I move around the network), I get an alert that I made an SMB connection to the decoy.
We have 1500 other windows 7 workstations that are not doing this to the decoy server.
If I walk over to another building right now and plug my pc in, I will pull a new IP address, and within 30 seconds I will get an alert fired off from the decoy server that my pc made a connection to it on 445.
We have 1500 other windows 7 workstations that are not doing this to the decoy server.
If I walk over to another building right now and plug my pc in, I will pull a new IP address, and within 30 seconds I will get an alert fired off from the decoy server that my pc made a connection to it on 445.
I think you are confusing a 'normal' condition with a problem. Click on "Request Attention" to get other to look at your question.
ASKER
Can someone else take a stab at it?
Each time I connect my computer to the network, a netstat shows that it has established a 445 connection to this decoy server. It seems like I have a persistent connection setup somewhere but I can't see where. I have no mapped drives to this server. How is it that it always automatically connects?
Each time I connect my computer to the network, a netstat shows that it has established a 445 connection to this decoy server. It seems like I have a persistent connection setup somewhere but I can't see where. I have no mapped drives to this server. How is it that it always automatically connects?
They might if you would click on "Request Attention" above. That's what it's there for.
Windows checks all machines it recently accessed if they are still offering SMB service.
Open up a command window and issue the command "net use" and see if it shows a connection to that machine.
I also think gheist is correct, once you connect from a Windows machine to another machine using SMB, it will attempt to connect each time you boot-up/logon.
You may want to search through your registry for the IP address 10.10.41.26 or the computer name of that computer.
I also think gheist is correct, once you connect from a Windows machine to another machine using SMB, it will attempt to connect each time you boot-up/logon.
You may want to search through your registry for the IP address 10.10.41.26 or the computer name of that computer.
ASKER
Giljr,
regarding your statement: "once a windows machine connects to another windows machine via SMB, it will attempt to connect each tim you boot-up/login"
Yes that indeed sounds like what I am experiencing. I did not know this was normal behavior.
The way to kill it would be in the registry?
Any way else to kill it?
Since I have uninstalled the decoy application from the server, I do not see myself making that connection anymore. My guess is that the decoy server was initiating something that caused my pc to connect to it.
regarding your statement: "once a windows machine connects to another windows machine via SMB, it will attempt to connect each tim you boot-up/login"
Yes that indeed sounds like what I am experiencing. I did not know this was normal behavior.
The way to kill it would be in the registry?
Any way else to kill it?
Since I have uninstalled the decoy application from the server, I do not see myself making that connection anymore. My guess is that the decoy server was initiating something that caused my pc to connect to it.
Delete all LRU lists.
It is how network discovery works. Previous connections are cached to speed access.
The assumption is if you needed SMB access previously, you may need it again.
The assumption is if you needed SMB access previously, you may need it again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for everyone's suggestion. Unfortunately I have moved on to something else and will not be investigating this anymore. I will mark as accepted in case someone else runs into a similar issue.