|
|
|
|
Snort Forums Archive
Archive Home » General Chat » SMB C$ and WebDAV mini Redirector
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
SMB C$ and WebDAV mini Redirector
Posted by treebug on January 25, 2008 11:43:39
I have received some 'NETBIOS SMB C$ unicode share access' alerts. I checked the network traffic and saw that a client was trying to connect to C$, IPC$, and ADMIN$ on another client workstation. These two client machines do not have a reason to communicate (no file shares, printers, etc). The result of these connection attempts is access denied coming back from the other client. However, it keeps trying to establish the session. If I run a 'netstat -an' I can see there is an established session between the two hosts.
I used TCPView and saw a connection between the two machines from the 'System' process. I could not get the properties or any further info on this process. I also used 'netstat -anob' and confirmed the process running it was 'System', but didn't get any further information. I looked for it in process explorer but could not find anything related to the established session.
I also get a 'WEB-IIS view source via translate header' alert between the same two clients. It is issuing a PROPFIND...the requested URI is /c%24..."Translate|3a| F" to port 80. From what I read this is trying to query information from WebDAV.
I read up a little on the webdav mini redirector and found out that it is a way to read/write/copy web content and that you can connect to those shares with the net use command, office uses them(?), and the service itself is called Web Client. But how can I find where the machine is configured to try to connect to these shares? And find out why it wants to query info from the other client?
If anyone has any further insight on this issue please share.
|
|
|
|
|
|
