Security Incidents mailing list archives
RE: unusual 1.11.0.0/16 outbound traffic
From: "Michael Zanetta" <mzanetta () telsys ch>
Date: Wed, 15 Sep 2004 16:21:06 +0200
Hi, Try to use a personal firewall like Tiny or Kerio to monitor wich application is sending these packets. http://download.kerio.com/dwn/kpf/kerio-pf-214-en-win.exe This is an old version of kerio firewall but it is ok to monitor this type of traffic. Have you changed anything recently in your network? HTH, Michael -----Message d'origine----- De : Federico Grau [mailto:donfede () casagrau org] Envoye : mardi, 14. septembre 2004 23:23 A : incidents () securityfocus com Objet : unusual 1.11.0.0/16 outbound traffic Hello Incidents folk, We have been seeing an increasing amount of unusual network activity trying to get out of our internal LAN. What is most odd about this traffic is that the traffic is directed to the 1.11.0.0./16 subnet (an IANA Reserved subnet, which I believe is to be used for VPNs). The activity began 2004-08-10 with 4 machines trying to send packets out at different times. Slowly the number of machines trying to send out this network traffic has grown to 18 last week. We have not seen trends of times when the activity occurs, it ranges throughout all times of the day and night, regardless of whether the user is at his machine. We have not seen trends of machines attempting to send out the network traffic, other than the number appears to be growing. We have virus scanners on desktop machines (mcafee) and on our mailserver (Mailscanner w/ sophos and mccaffe). Anti-virus software does not detect anything and we could not find any other unusual software running on the client PCs. Client machines include several Microsoft operating systems; Windows 98, Windows 2000, Windows XP. We have captured outbound traffic using tcpdump, and looked at it with ethereal. No packets with "data" appear to be making it out. The packets we have been seeing include; SMB "Tree Disconnect Request", SMB "Echo Request", NBNS "Name query NBSTAT" and some other "failed SMB" packets. At this point we are not sure if this is benign or malicious. Have others seen this type of unusual network traffic? The 1.11.0.0/16 network seems unreachable (no ping responses), how can this traffic be getting out (or where is it trying to go)? Any suggestions at other things to check? Sample firewall logs: Aug 10 05:15:48 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=40 S=0x00 I=42620 F=0x4000 T=128 (#13) Aug 10 05:15:49 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42665 F=0x4000 T=128 (#13) Aug 10 05:15:50 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42673 F=0x4000 T=128 (#13) Aug 10 05:15:51 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42694 F=0x4000 T=128 (#13) Aug 10 05:15:52 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42733 F=0x4000 T=128 (#13) Aug 10 05:15:55 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42783 F=0x4000 T=128 (#13) Aug 10 05:16:02 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42791 F=0x4000 T=128 (#13) Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11794 F=0x4000 T=128 (#13) Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11795 F=0x4000 T=128 (#13) ... Sep 8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23459 F=0x4000 T=128 (#13) Sep 8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23460 F=0x4000 T=128 (#13) Sep 8 18:04:26 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23600 F=0x4000 T=128 (#13) Sep 8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23601 F=0x4000 T=128 (#13) Sep 8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23602 F=0x4000 T=128 (#13) Sep 8 18:04:29 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23748 F=0x4000 T=128 (#13) Sep 8 18:04:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23906 F=0x4000 T=128 (#13) Sep 8 18:04:39 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=24135 F=0x4000 T=128 (#13) Sep 8 18:04:41 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=93 S=0x00 I=24136 F=0x4000 T=128 (#13)
Current thread:
- unusual 1.11.0.0/16 outbound traffic Federico Grau (Sep 15)
- RE: unusual 1.11.0.0/16 outbound traffic Michael Zanetta (Sep 15)
- Re: unusual 1.11.0.0/16 outbound traffic Andrew Heath (Sep 22)
- <Possible follow-ups>
- RE: unusual 1.11.0.0/16 outbound traffic Jim Harrison (ISA) (Sep 16)
- Re: unusual 1.11.0.0/16 outbound traffic James C. Slora Jr. (Sep 17)