1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Adding XP to workgroup

Discussion in 'Networking' started by beachfront, Sep 12, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. beachfront

    beachfront Thread Starter

    Joined:
    Feb 11, 2002
    Messages:
    14
    Hello all.

    Small peer to peer network with 3 Win 98 workstations running IP. No file sharing to speak of, DSL router on the wire for Internet access.

    A new employee brings a laptop in with XP Home addition to be added to network. After he adds, other users lose Internet connectivity, can't ping default gateway from any machine, etc. Packet capture shows the XP machine begins with several ARP broadcasts, tries to register itself with NBNS, then floods the network with ARPs querying every address on the subnet, followed by lots of these listed under HTTP in the packet decode:

    M-SEARCH * HTTP/1.1\r\n
    Host: 239.255.255.250:1900\r\n
    ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n
    Man:"ssdp:discover"\r\n
    MX:3\r\n
    \r\n

    I've never seen this before, needless to say I got the laptop unplugged from the network right away and Monday will run a virus scan on the laptop.

    Any other ideas? Is there something with XP Home adding to a WIN98 workgroup that I'm missing?

    Thanks a bunch in advance.
     
  2. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    I think something is very wrong with the laptop, I have plugged a number of customer's XP-Home systems into my network, and nothing like that happens. :D

    That sounds like the second variation of the MSBLASTER worm, the one that attempted to "fix" the earlier worm's stuff. With W98, it didn't find anything it could "patch", but it does plenty of damage just bringing the network to it's knees. :)
     
  3. jimi

    jimi

    Joined:
    Jun 14, 2000
    Messages:
    3,959
    the UDP is slamming you, try this, but don't overlook the virus warning that john gave you either, safe than sorry sort of deal
     
  4. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    I guess it's difficult to believe UPnP would pound on you so much that it would cripple the network. However, I know that the derivatives of the MSBLASTER do that, I have a friend at Bristol Myers Squibb that's still fighting the battle on their 50,000 machines worldwide! :D
     
  5. beachfront

    beachfront Thread Starter

    Joined:
    Feb 11, 2002
    Messages:
    14
    I'm gonna check the laptop for Blaster et.al on Monday.... but I think the Microsoft TID is gonna do it.... I have been away from the Microsoft world for awhile and really haven't had any exposure to these wonderful "self-discovery" "improvements" and other kinds of crap that can really make the easiest of networking a freakin nightmare...

    Thanks so much folks... I haven't used this resource in several years but my donation is on the way..


    Thanks again...
     
  6. beachfront

    beachfront Thread Starter

    Joined:
    Feb 11, 2002
    Messages:
    14
    Speaking too soon always bites me in the rear....

    The SSDP requests have gone away after turning off the UPnPMode in the registry. The symptoms still exist and the packet capture still shows the workstation 192.168.0.22 ARPing all addresses in the subnet. Even after I remove the workstation from the network after it's crashed the DSL router 192.168.0.1, Internet connectivity is not restored until I bounce the router. The inital part of the capture when the XP laptop is introduced is below.

    30 169.174880 192.168.0.22 Broadcast ARP Who has 192.168.0.22? Tell 192.168.0.22
    31 169.397687 192.168.0.4 225.1.2.3 IGMP V2 Membership Report
    32 171.168440 192.168.0.22 Broadcast ARP Who has 192.168.0.22? Tell 192.168.0.22
    33 181.082070 192.168.0.11 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x49435320
    34 183.546794 192.168.0.1 192.168.0.255 RIPv1 Response
    35 184.864438 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<00>
    36 185.609278 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<00>
    37 186.360374 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<00>
    38 187.111463 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<00>
    39 187.863009 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<00>
    40 188.613628 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<00>
    41 189.364675 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<00>
    42 190.055965 192.168.0.22 Broadcast ARP Who has 192.168.0.1? Tell 192.168.0.22
    43 190.115924 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<00>
    44 191.591705 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<03>
    45 192.338941 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<03>
    46 192.963209 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<20>
    47 193.090036 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<03>
    48 193.566360 00000000.192.168.0.127 00000000.Broadcast IPX SAP General Response
    49 193.710960 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<20>
    50 193.841087 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<03>
    51 194.461988 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<20>
    52 195.213051 192.168.0.22 192.168.0.255 NBNS Registration NB BUSINESS<20>
    53 195.966560 192.168.0.22 192.168.0.255 BROWSER Host Announcement BUSINESS, Workstation, Server, Print Queue Server, NT Workstation
    54 196.009828 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<1e>
    55 196.755317 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<1e>
    56 197.506412 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<1e>
    57 198.257492 192.168.0.22 192.168.0.255 NBNS Registration NB INSURANCE<1e>
    58 199.010097 192.168.0.22 192.168.0.255 BROWSER Request Announcement BUSINESS
    59 199.010528 192.168.0.22 192.168.0.255 BROWSER Host Announcement BUSINESS, Workstation, Server, Print Queue Server, NT Workstation, Potential Browser
    60 199.065437 192.168.0.11 192.168.0.255 BROWSER Local Master Announcement IBM23XKC41, Workstation, Server, Print Queue Server, Windows for Workgroups, Potential Browser, Backup Browser, Master Browser, Windows 95 or above
    61 199.065532 192.168.0.22 192.168.0.255 BROWSER Browser Election Request
    62 199.165489 192.168.0.11 192.168.0.255 BROWSER Browser Election Request
    63 199.950051 192.168.0.22 192.168.0.255 BROWSER Browser Election Request
    64 199.951395 192.168.0.11 192.168.0.255 NBNS Release NB INSURANCE<1d>
    65 199.951469 192.168.0.11 192.168.0.255 NBNS Release NB <01><02>__MSBROWSE__<02><01>
    66 199.965399 192.168.0.11 192.168.0.255 BROWSER Host Announcement IBM23XKC41, Workstation, Server, Print Queue Server, Windows for Workgroups, Potential Browser, Backup Browser, Windows 95 or above
    67 200.951524 192.168.0.22 192.168.0.255 BROWSER Browser Election Request
    68 201.952965 192.168.0.22 192.168.0.255 BROWSER Browser Election Request
    69 202.682877 192.168.0.22 Broadcast ARP Who has 192.168.0.2? Tell 192.168.0.22
    70 202.687777 192.168.0.22 Broadcast ARP Who has 192.168.0.3? Tell 192.168.0.22
    71 202.694890 192.168.0.22 Broadcast ARP Who has 192.168.0.4? Tell 192.168.0.22
    72 202.704330 192.168.0.22 Broadcast ARP Who has 192.168.0.5? Tell 192.168.0.22
    73 202.714599 192.168.0.22 Broadcast ARP Who has 192.168.0.6? Tell 192.168.0.22
    74 202.736697 192.168.0.22 Broadcast ARP Who has 192.168.0.7? Tell 192.168.0.22
    75 202.751616 192.168.0.22 Broadcast

    I'm a little stumped... running virus check as I write this.... any ideas would be greatly appreciated. Thanks.
     
  7. beachfront

    beachfront Thread Starter

    Joined:
    Feb 11, 2002
    Messages:
    14
    Found the Welchia worm on the laptop. Descriptions of the worm say to look for a succession of ARP requests from the same workstation. Sounds like my problem. I'll let you know.
     
  8. beachfront

    beachfront Thread Starter

    Joined:
    Feb 11, 2002
    Messages:
    14
    Welchia seems to have been the culprit. Thanks for the help.
     
  9. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    I figured that had to be the guy that was getting you. :)
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164329

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice