Re: Broadcast storm in my network/ any ideas

["J.A. Terranson" <measl () mfn org>]

On Thu, 22 Dec 2005, wilder_jeff Wilder wrote:

> All,
>
> I have a Windows 2000 terminal server that is consistantly sending out
> broadcasts to 255.255.255.255:111... below is a capture from a snort box I
> have running. In the last 18 hours I have had about 2000 packets from this
> box to this address about every 30 seconds.

Jeff, FYI - a "Broadcast storm" is a Loooooonnnngggggg way from 200
packets over 18 hours.  Most people would hesitate to class this level of
traffic as a "nuisance", let alone a "broadcast storm'.  Notwithstanding
the obvious error in terminology, 111 is the port isn't a port that I
would expect a Winblows box to be talking to (usually for *nix portmapper
services).

In this case, your most reasonable course of action would be to examine
the box and try to determine what process is binding to the port.
Personally, I'd pull it off the wire under the presumption it's been
compromised, until proven otherwise (or unless you have services for Unix
installed.

-- 
Yours,

J.A. Terranson
sysadmin () mfn org
0xBD4A95BF


        Just once, can't we have a nice polite discussion about
        the logistics and planning side of large criminal enterprise?

        - Steve Thompson


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/