Jump to content

An attempt to connect to the Server Service was detected


Recommended Posts

I've just noticed this in my firewall log

 

 
3/12/2016 9:36:38 PM;
 
An attempt to connect to the Server Service was detected;
 
Source 192.168.1.6:11909;
 
Destination 192.168.1.6:445;TCP;
 
;System;
 
 
Obviously this is something internal to my network rather than an external attack, but what is it trying to tell me ?
 
Using ESS version 9
 
 
Link to comment
Share on other sites

Use can read about SMB port 445 here: https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Day+1+Port+445+SMB+over+TCP/7210/ . Normally, if restricted to your internal network as appears to be your case, such traffic is OK. However, a vulnerability in its use that affects all Win versions was discovered a few months ago: hxxp://www.darkreading.com/vulnerabilities---threats/windows-badtunnel-attack-hijacks-network-traffic/d/d-id/1325875 . So make sure you have applied all Win Updates to date.

 

One possibility for these firewall log entries is you have disabled the "Allow incoming connection to admin shares in SMB protocol" setting in Eset's IDS advanced options settings. This option in reality is only needed for domain environments. However, I have always had this setting disabled and never seen the alerts you posted.

 

-EDIT- If these log entries persist, I would do what is recommended in the DarkReadingRoom article, namely:

 

I suggest you disable the NetBIOS over TCP/IP to prevent BadTunnel attack,” he says.

 

You do so by going into your TCP/IP settings for IPv4 and disabling it there.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...