Resolved spoof attack question

drhans2 · 2009/10/03

Can someone please explain whats going on here.. from what I can see from the log file below starting from the bottom and reading up... The sequence of events are as follows..

My router is turned on and PPPoE is Authenticating to my ISP vie my Bridged DSL modem than connecting to my desktop Nassau 00-13-d4-1a-4e-52 (MY Wired Ethernet Card) with the DHCP lease IP 192.168.1.102. (everything after the word "desktop" is me ASSUMING).

Next I inserted my Wireless USB Dongle into the same desktop computer the router is wired to.
Wireless PC connected 00-14-d1-36-25-84 (MY Wireless USB Dongle)
Authentication Success 00-14-d1-36-25-84
with the DHCP lease IP 192.168.1.100 to Nassau 00-14-d1-36-25-84

Next I start getting these spoof attacks
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect, (MY Wired Ethernet Card)
Spoof IP(192.168.1.100), Spoof Port(137)
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Same port tried 6 more times...
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Spoof IP(192.168.1.100), Spoof Port(138)
Target IP(192.168.1.255), Target Port(138) Packet Dropped
Same port tried once more before I terminated the connection.

From what I can understand (I use that statement loosely) ....
My wired desktop is trying to spoof (vie ports 137 & 138) my wireless connection to the same desktop.
And is trying 2 if not all DHCP leases the routers gateway range has..

What is really going on? Why are the attack happening and how do I correct the issue. (Besides removing the wireless connection).... (Assuming there is a problem here) I have run all anti-virus and spy programs without any issues. Windows firewall is active & wireless connection is WPA2-PSK CIPHER_AUTO.

I realize the setup I have is not normal but from what I remember the same thing happened when I used a second computer vie a wired connection vie the same router. Hence this test setup... I only have access to one computer at this time to test with.

Router log is as follows.... starting from the bottom and reading up...

Oct/03/2009 09:53:20
Sending one E-mail Subject: Manual
Oct/02/2009 14:08:20
Target IP(192.168.1.255), Target Port(138) Packet Dropped
Oct/02/2009 14:08:20
Spoof IP(192.168.1.100), Spoof Port(138)
Oct/02/2009 14:08:20
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:56:17
Target IP(192.168.1.255), Target Port(138) Packet Dropped
Oct/02/2009 13:56:17
Spoof IP(192.168.1.100), Spoof Port(138)
Oct/02/2009 13:56:17
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:54:00
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:54:00
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:54:00
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:53:59
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:53:59
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:53:59
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:53:58
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:53:58
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:53:58
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:43:39
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:43:39
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:43:39
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:43:38
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:43:38
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:43:38
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:43:38
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:43:38
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:43:38
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect,
Oct/02/2009 13:43:37
Target IP(192.168.1.255), Target Port(137) Packet Dropped
Oct/02/2009 13:43:37
Spoof IP(192.168.1.100), Spoof Port(137)
Oct/02/2009 13:43:37
Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect, (MY Wired Ethernet Card)
Oct/02/2009 13:43:34
DHCP lease IP 192.168.1.100 to Nassau 00-14-d1-36-25-84 (MY Wireless USB Dongle)
Oct/02/2009 13:43:30
Authentication Success 00-14-d1-36-25-84
Oct/02/2009 13:43:29
Authenticating...... 00-14-d1-36-25-84
Oct/02/2009 13:43:29
Wireless PC connected 00-14-d1-36-25-84 (MY Wireless USB Dongle)
Oct/02/2009 13:42:16
DHCP lease IP 192.168.1.102 to Nassau 00-13-d4-1a-4e-52 (MY Wired Ethernet Card)
Oct/02/2009 13:41:48
PPPoE line connected
Oct/02/2009 13:41:47
WAN: Auto Dialup Try to establish PPPoE line
Oct/02/2009 13:41:47
System started
Oct/02/2009 13:41:39
AP 2.4GHz mode Ready. Channel : 1 TxRate : best SSID : Ground Zero
Oct/02/2009 13:41:39
Access point: Ground Zero started at channel 1.

TonyT · 2009/10/04

Which router?

Check the mac addresses of your network adapters and see it the "spoof attack" is associated with one of your adapters: Spoof Attack fromd MAC(00-13-d4-1a-4e-52). It could very well just be one of your adapters incorrecly polling the router.

Certain Windows services will try to poll the network for other computers, such as File & Print Sharing automatically looking for network printers and shares, or mapped network drives. If the mac addresses in the log are yours, then no worries. If they are not yours then no worries too because the router is doing its job by filtering outside probes.

And unless you are running a server dedicated to one of the network adapters, don't have both wired and wifi connected at the same time, because Windows can only use one of the connections, unless the connections are bridged. You cannot decide which connection will be used when both are active, Windows will ONLY use the connection that was extablished first, e.g the wired one in your case sequence above.

drhans2 · 2009/10/04

Thanks for the reply... My router is a Trendnet TEW 452BRP. I did have "File and Print Sharing" unchecked (OFF) on my wired adapter ( 00-13-d4-1a-4e-52) but found it "ON" the wireless adapter ( 00-14-d1-36-25-84).. I have unchecked the "File and Print Sharing" on my wireless adapter and so far the spoof attacks have stopped. Also thinking the terminology addressing the hardware could be better.. because the "File and Print Sharing" was turned off on wired adapter ( 00-13-d4-1a-4e-52) I assumed that the alert message.... "Spoof Attack fromd MAC(00-13-d4-1a-4e-52) Detect ", (which is my Wired Ethernet Card)... was attempting to send a spoof attack vie my wireless adapter.. but from my original setting it now appears the alert message was trying to say that my wired connection was... reporting a inbound attack (polling) from my wireless adapter.. guess it all about who writes the software program.. and if its "proof read" prior to release by someone who know how to spell... note this word from the log file...( fromd ).. thanks for explanation about which connection Windows uses and the hint to recheck my "File and Print Sharing" options..

TonyT · 2009/10/04

Windows will broadcast and search for netbios names (other comps on the lan) Thus if you are connected to lan via wired adapter, the Windows search or broadcast is being sent via that adapter.

Uninstall file and print sharing rather than just uncheck it. You can always reinstall it if ever needed by using the "Install" button.

Then in control panel > admin tools > services disable computer browser service.

Then go to control panel > folder options > view tab > uncheck "auto search for netorrk folders and printers ".

That will stop all netbios broadcasts and searches oringinated by Windows on your comp.

drhans2 · 2009/10/06

Thanks again for the reply.. Ever since unchecking the wireless adapter "Print and File Sharing" options I have had zero spoof attacks.. so I'm on the ledge as far as uninstalling it vs just unchecking it.. As to your second suggestion... (Then in control panel > admin tools > services disable computer browser service.) I don't even have that "line option" to uncheck.. at least not on my computer.... and the 3rd I already had unchecked..

TonyT · 2009/10/06

OK then, if no more "spoofing" getting logged by just unchecking file & print sharing then no need to uninstall it.

As for computer browser service, if have XP, Vista or Win 7, then you do have that service in the services window.

drhans2 · 2009/10/08

I'm running XP PRO.. ... all is good now... thanks for the assist..

Log in or Sign up

Resolved spoof attack question

drhans2 Well-Known Member Thread Starter

TonyT SuperGeek Staff

drhans2 Well-Known Member Thread Starter

TonyT SuperGeek Staff

drhans2 Well-Known Member Thread Starter

TonyT SuperGeek Staff

drhans2 Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Resolved spoof attack question

drhans2 Well-Known Member Thread Starter

TonyT SuperGeek Staff

drhans2 Well-Known Member Thread Starter

TonyT SuperGeek Staff

drhans2 Well-Known Member Thread Starter

TonyT SuperGeek Staff

drhans2 Well-Known Member Thread Starter

Share This Page

Useful Searches