Finder trying a suspicious connection via smbclient

Discussion in 'macOS' started by sOwL, May 17, 2013.

  1. sOwL, May 17, 2013
    Last edited: May 17, 2013

    sOwL macrumors 6502

    sOwL

    Joined:
    Sep 25, 2007
    Location:
    Nerd Cave
    #1
    I'm not very knowledgeable when it comes to how OSX handles network activity, but this stinks: Every time I open Finder (quitting and relaunching does it too) LittleSnitch is giving me a popup titled 'Finder via smbclient' stating that Finder is trying to connect to some external IP (25.96.233.133, somewhere in England??). I've researched about smbclient and I don't think this is normal. Someone told me to try "nmblookup -M -- -" in Terminal to check for any Windows computers in my network. That command gives this:
    querying __MSBROWSE__ on 192.168.1.255
    192.168.1.14 __MSBROWSE__<01>
    25.96.233.133 __MSBROWSE__<01>
    The first IP is indeed assigned to a Windows computer in my network, but I have no freaking idea about that second, external IP. Pinged it, it returns nothing, 100% packet loss. Did nslookup, whois, traceroute, still can't figure out what it is. Could it be some kind of malware??

    EDIT: Forgot to mention, running on 10.6.8
     
  2. justperry macrumors 604

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #2
    How do you know it is in England if the ping or anything else returns nothing?

    I got:

    Ping has started…

    PING 25.96.233.133 (25.96.233.133): 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1
    Request timeout for icmp_seq 2
    Request timeout for icmp_seq 3
    Request timeout for icmp_seq 4
    Request timeout for icmp_seq 5
    Request timeout for icmp_seq 6
    Request timeout for icmp_seq 7
    Request timeout for icmp_seq 8

    --- 25.96.233.133 ping statistics ---
    10 packets transmitted, 0 packets received, 100.0% packet loss

    Same with http, nothing.
     
  3. sOwL thread starter macrumors 6502

    sOwL

    Joined:
    Sep 25, 2007
    Location:
    Nerd Cave
    #3
    I ran a RIPE whois. For some funny reason Network utility won't work. Try this link: http://whois.net/ip-address-lookup/25.96.233.133

    "netname: UK-MOD-19850128
    descr: DINSA, Ministry of Defence
    country: GB"

    and also "org-name: DINSA, Ministry of Defence". Looks fishy tbh
     
  4. justperry macrumors 604

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #4
  5. sOwL thread starter macrumors 6502

    sOwL

    Joined:
    Sep 25, 2007
    Location:
    Nerd Cave
    #5
  6. justperry macrumors 604

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #6
    Don't know.
    Read a bit more, seems to be "harmless", just make a rule in LS to always block it, if you then get problems with a certain program you know where it is coming from.
     
  7. sOwL thread starter macrumors 6502

    sOwL

    Joined:
    Sep 25, 2007
    Location:
    Nerd Cave
    #7
    I will further investigate just how Logmein works on the Windows computer (It creates a virtual network adapter, so it could be acting as a new computer in the network? Not sure) and then research some more about how smbclient works on OSX. It will stay always blocked, for sure. Thanks for trying to help out bud.
     
  8. benwiggy macrumors 68020

    Joined:
    Jun 15, 2012
    #8
    I love the way that someone on the LogMeIn Community board thought the British Government was spying on them because they watched a BBC sitcom from a torrent site!

    In short: the IP address doesn't go to the MoD, but is something to do with LogMeIn.

    Yes another instance of Little Snitch making people worry about genuine, harmless network connections.
     

Share This Page