I have a Windows Server 2008 box running as a Domain Controller. I have noticed in my Cisco ASA firewall logs that this box is continuously sending out (like a thousand requests a second) requests on TCP port 445 to external hosts. I have made an effort to deny this outbound traffic from getting on the internet (using the ASA), however I would like these requests to stop from even occurring at all. I have tried disabling TCP/IP over NetBIOS. I have even turned on Windows Advanced Firewall on the box itself to block outbound 445 but the ASA still detects this particular traffic hitting it. I have other DC's and similar type boxes which are not behaving the same way as this box.
Is this normal? Is there a way to stop this spamming? Have I been infected?
Before I denyed on my firewall it is sending to IP addresses on the internet. In syslog it looks like:
4 Jun 01 2010 07:50:36 106023 192.168.50.15 59890 38.250.160.20 445 Deny tcp src inside:192.168.50.15/59890 dst outside:38.250.160.20/445 by access-group "OUTSIDE-OUT" [0xb2cd162d, 0x0]
4 Jun 01 2010 07:50:36 106023 192.168.50.15 59808 37.216.197.51 445 Deny tcp src inside:192.168.50.15/59808 dst outside:37.216.197.51/445 by access-group "OUTSIDE-OUT" [0xb2cd162d, 0x0]
4 Jun 01 2010 07:50:36 106023 192.168.50.15 59853 158.105.129.67 445 Deny tcp src inside:192.168.50.15/59853 dst outside:158.105.129.67/445 by access-group "OUTSIDE-OUT" [0xb2cd162d, 0x0]
4 Jun 01 2010 07:50:36 106023 192.168.50.15 59811 69.158.49.125 445 Deny tcp src inside:192.168.50.15/59811 dst outside:69.158.49.125/445 by access-group "OUTSIDE-OUT" [0xb2cd162d, 0x0]
Thank you universe.
Best Answer
k. it was a virus.