Server broadcasting to a 169.X address

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

the domain is creating a [00h]Workgroup and [1Eh]Normal Group Name
record for itself in WINS. The problem I have, is that those records are
being created with a 169.254.122.x IP, and filling the logs with entries
when the 192.168.0.X server tries to send netbios requests to that address.

no ideas?

Nathan Thomas Sr wrote:
> I have this strange problem I've been trying to track down. I'm not
> entirely sure this is where this should go, but I'm not aware of any
> other forum to post this in.
>
> I implemented a new firewall unit the other week. Lately, I've been
> paying more attention to the logs. In the Intrusion Detection System
> log, I keep seeing this message:
> Date: 08/15 08:50:45 Name: ICMP Destination Unreachable (Communication
> Administratively Prohibited)
> Priority: 3 Type: Misc activity
> IP info: 192.168.0.5:123 -> 169.254.122.72:123
> References: none found
>
> In the Firewall log:
> 08:52:31 eth0 eth1 ICMP
> 192.168.0.5:137----> 169.254.122.72:137
> -------
>
> For some reason or the other, the 192. address is sending netbios
> requests to the 169 address. I can't figure out why. I made sure that
> there were no errant/bad records in DNS, disabled netbios on that NIC,
> even deleted the 2nd nic from the server since it's not running
> Multihomed anymore. Still, there firewall log shows that even every 2-3
> seconds, and the intrusion log shows the 1st error every so often.
>
> There were no records of this over the weekend, and they started back up
> this morning around 0815, which is when most employees get on the network.
>
> Suggestions/advice?
>
> thanks
>
>

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Server does have a 2nd nic, but it is disabled. I'm going to pull it out
at the end of the month during scheduled downtime/maintenance and see
what happens.

The box is fully patched, and has current AV dats, and nothing has shown
during network scans, or AV+heuristics scan.

Strange, boggling, and annoying.

Brian Cryer wrote:
> "Nathan Thomas Sr" <nathan_nospam_@mvp97.com> wrote in message
> newsriQX8MrFHA.2212@TK2MSFTNGP15.phx.gbl...
>
>>the domain is creating a [00h]Workgroup and [1Eh]Normal Group Name
>>record for itself in WINS. The problem I have, is that those records are
>>being created with a 169.254.122.x IP, and filling the logs with entries
>>when the 192.168.0.X server tries to send netbios requests to that
>>address.
>>
>>no ideas?
>>
>>Nathan Thomas Sr wrote:
>
>
> No, no ideas - but - 169.254.122.x looks like the type of ip address that a
> pc generates for itself when it fails to get an ip address from the dhcp
> server. Does the server have more than one network card?
>
> Unlikely to be related, but when I googled on 169.254 I came across the
> following article:
> http://securityresponse.symantec.c [...] worms.html
>
> I hope you get to the bottom of it,
>
> Brian.
>
> www.cryer.co.uk/brian
>
>
>