Security Incidents mailing list archives

RE: unusual 1.11.0.0/16 outbound traffic

From: "Michael Zanetta" <mzanetta () telsys ch>
Date: Wed, 15 Sep 2004 16:21:06 +0200

Hi,

Try to use a personal firewall like Tiny or Kerio to monitor
wich application is sending these packets.

http://download.kerio.com/dwn/kpf/kerio-pf-214-en-win.exe

This is an old version of kerio firewall but it is ok to monitor this
type of traffic.

Have you changed anything recently in your network?

HTH,

Michael

-----Message d'origine-----
De : Federico Grau [mailto:donfede () casagrau org]
Envoye : mardi, 14. septembre 2004 23:23
A : incidents () securityfocus com
Objet : unusual 1.11.0.0/16 outbound traffic



Hello Incidents folk,

We have been seeing an increasing amount of unusual network activity trying
to
get out of our internal LAN.  What is most odd about this traffic is that
the
traffic is directed to the 1.11.0.0./16 subnet (an IANA Reserved subnet,
which
I believe is to be used for VPNs).

The activity began 2004-08-10 with 4 machines trying to send packets out at
different times.  Slowly the number of machines trying to send out this
network traffic has grown to 18 last week.

We have not seen trends of times when the activity occurs, it ranges
throughout all times of the day and night, regardless of whether the user is
at his machine.

We have not seen trends of machines attempting to send out the network
traffic, other than the number appears to be growing.

We have virus scanners on desktop machines (mcafee) and on our mailserver
(Mailscanner w/ sophos and mccaffe).  Anti-virus software does not detect
anything and we could not find any other unusual software running on the
client PCs.

Client machines include several Microsoft operating systems; Windows 98,
Windows
2000, Windows XP.

We have captured outbound traffic using tcpdump, and looked at it with
ethereal.  No packets with "data" appear to be making it out.  The packets
we
have been seeing include; SMB "Tree Disconnect Request", SMB "Echo Request",
NBNS "Name query NBSTAT" and some other "failed SMB" packets.



At this point we are not sure if this is benign or malicious.

Have others seen this type of unusual network traffic?

The 1.11.0.0/16 network seems unreachable (no ping responses), how can this
traffic be getting out (or where is it trying to go)?

Any suggestions at other things to check?


Sample firewall logs:
Aug 10 05:15:48 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=40 S=0x00 I=42620 F=0x4000 T=128 (#13)
Aug 10 05:15:49 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42665 F=0x4000 T=128 (#13)
Aug 10 05:15:50 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42673 F=0x4000 T=128 (#13)
Aug 10 05:15:51 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42694 F=0x4000 T=128 (#13)
Aug 10 05:15:52 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42733 F=0x4000 T=128 (#13)
Aug 10 05:15:55 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42783 F=0x4000 T=128 (#13)
Aug 10 05:16:02 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42791 F=0x4000 T=128 (#13)
Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11794 F=0x4000 T=128 (#13)
Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11795 F=0x4000 T=128 (#13)
...
Sep  8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23459 F=0x4000 T=128 (#13)
Sep  8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23460 F=0x4000 T=128 (#13)
Sep  8 18:04:26 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23600 F=0x4000 T=128 (#13)
Sep  8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23601 F=0x4000 T=128 (#13)
Sep  8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23602 F=0x4000 T=128 (#13)
Sep  8 18:04:29 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23748 F=0x4000 T=128 (#13)
Sep  8 18:04:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23906 F=0x4000 T=128 (#13)
Sep  8 18:04:39 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=24135 F=0x4000 T=128 (#13)
Sep  8 18:04:41 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=93 S=0x00 I=24136 F=0x4000 T=128 (#13)

Current thread:

unusual 1.11.0.0/16 outbound traffic Federico Grau (Sep 15)
- RE: unusual 1.11.0.0/16 outbound traffic Michael Zanetta (Sep 15)
- Re: unusual 1.11.0.0/16 outbound traffic Andrew Heath (Sep 22)
- <Possible follow-ups>
- RE: unusual 1.11.0.0/16 outbound traffic Jim Harrison (ISA) (Sep 16)
  - Re: unusual 1.11.0.0/16 outbound traffic James C. Slora Jr. (Sep 17)