Re: strang log
From: Chris Weber [Security MVP] (chris_at_dev.nul)
Date: Mon, 20 Jun 2005 22:05:42 -0700
Can you run a sniffer? Do you see TCP like acks going back and forth? If
the address is spoofed, like you said, your server would not be able to talk
back to this smbdy.
"Simo Sentissi" <email@example.com> wrote in message
> hello there
> I have a strange occurence of smbdy trying to login as local admin on a
> server box, since it locks out and back after 30 mins the same thing
> repeats again.
> I looked at the details and I noticed that the origination address is a
> 192.168 addr wich do not belong to our network? I am kind of puzzeled !
> how can the tcp/ip transaction finish if address is spoofed or it that
> data from some netbios header ?