2

On a DELL PowerEdge T110 II, the pre-installed Windows Server 2012 R2 (foundation edition) keeps requesting the page limwinsemea02.mfg.ie.dell.com over http port 80. We know this because of a firewall log, which registers ~250k blocked requests in a few months. So far I failed to figure out which service/startup component/process is causing this. What do I need to configure, uninstall or disable, to make this "phone home" behavior stop without affecting normal server operation?

EDIT: sysinternals process monitor revealed this:

port 80 was a wrong interpretation or assumption. it is a UDP send towards 163.244.79.191 on the well-known port "netbios-ns" (decimal 137). That IP is in a range assigned to "Dell, Inc.".

PID 4 = "System", Stack shows that besides ntoskrnl.exe, netbt.sys and tdx.sys are involved.

I understand now that the netbios protocol is involved, but why (and where) is it configured to flood that DELL address with multiple connects per second?

EDIT 2: wherever the domain or IP address is stored, it is not in the registry. or scrambled.

dlatikay
  • 123
  • 7
  • Is it worth doing a registry-search to see if you can find any reference to that domain? – Chopper3 Nov 28 '16 at 14:53
  • 1
    done, see edit2 – dlatikay Nov 28 '16 at 15:11
  • 1
    I'd probably suggest running a continuous netstat (to file) or better yet, a packet capture on the server to confirm the source ip address and port and destination ip address and port. If you run a packet capture with Microsoft Network Monitor you'll be able to see the traffic per process. Running `netstat -a -n -o 1 >C:\Temp\netstat.txt` will log all connections/sessions to a log file every second, including the PID responsible. – joeqwerty Nov 29 '16 at 00:24

2 Answers2

2

I'm reasonably certain that Process Monitor from sysinternals will allow you capture data to show which process is making the DNS request for that location.

If you use it to capture network activity, you'll see the PID and process name. Then look for UDP packets, you'll have to enter 'source IP:53' going to the DNS server and then the actual domain - I strongly suspect you'll have to faff about a bit with this to get it going right though sorry.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • just learned that process monitor != process explorer... see edit for results of using process monitor. – dlatikay Nov 28 '16 at 14:06
1

Protocol that uses port 137 (netbios name resolution) works using broadcasts within confines of local LAN. It's not routable. Many people using VPN to their workplace complain about not being able to resolve their work computers network names and are presented with ideas to host one or more DNS servers here and there to overcome this limitation. Or buy a specific VPN router that allows SMB over VPN.

The last time I saw someone opening their port 137 (8 or 9) to the public network was around 1998-1999 when we used dial-up internet on POTS lines, effectively opening ourselves to everyone, oh, the nostalgia. So DELL probably does not have it open.

In the light of this, I see slim possibility that this is intentional "home phoning". System process PID4, which hosts some network services, lets NetBios (SMB) bombard everyone it can from its port 137, in order to e.g. announce server's netbios name and node type. Then connection is left for a short time in some ending-state, e.g. TIME_WAIT. The real question is why the heck MS still allows Windows to do, what 16 years ago was regarded as stupid (see 7th and 8th post in this thread for mention of firewall logs being full of dropped SMB connections).

I think some app on your server might have been searching for updates and that's how server cached this IP, which then was a subject of NetBios's behavior which really is the culprit IMHO.

Kitet
  • 378
  • 2
  • 12
  • The last paragraph in your answer leads me to think that this caching took place when the server was installed while connected to the manufacturer's own network. So there is no application or vendor service doing this - its SMB/NetBios phantom pain. – dlatikay Dec 07 '16 at 12:04
  • I changed NIC>properties>TCP/IPv4>advanced>WINS>netbios from "default" to "disable netbios over tcp/ip": enjoy the silence. thanks go to @Chopper3 for practical guidance; I accepted this because it actually made me understand. – dlatikay Dec 07 '16 at 15:09