Security Incidents mailing list archives
RE: unusual 1.11.0.0/16 outbound traffic
From: "Jim Harrison (ISA)" <jmharr () microsoft com>
Date: Thu, 16 Sep 2004 09:20:00 -0700
The signature of dest=TCP:445 sounds a lot like Sasser (or clone) infections on those internal hosts. Time to scan those boxes, fer shur! Jim Harrison MCP(NT4/2K), A+, Network+ Security Business Unit (ISA SE) "The last 10 years of Internet usage has disproven the theory that a million monkeys typing on a million typewriters would eventually produce the complete works of Shakespeare. ..or maybe it only works for typewriters..." (unclaimed) -----Original Message----- From: Federico Grau [mailto:donfede () casagrau org] Sent: Tuesday, September 14, 2004 2:23 PM To: incidents () securityfocus com Subject: unusual 1.11.0.0/16 outbound traffic Hello Incidents folk, We have been seeing an increasing amount of unusual network activity trying to get out of our internal LAN. What is most odd about this traffic is that the traffic is directed to the 1.11.0.0./16 subnet (an IANA Reserved subnet, which I believe is to be used for VPNs). The activity began 2004-08-10 with 4 machines trying to send packets out at different times. Slowly the number of machines trying to send out this network traffic has grown to 18 last week. We have not seen trends of times when the activity occurs, it ranges throughout all times of the day and night, regardless of whether the user is at his machine. We have not seen trends of machines attempting to send out the network traffic, other than the number appears to be growing. We have virus scanners on desktop machines (mcafee) and on our mailserver (Mailscanner w/ sophos and mccaffe). Anti-virus software does not detect anything and we could not find any other unusual software running on the client PCs. Client machines include several Microsoft operating systems; Windows 98, Windows 2000, Windows XP. We have captured outbound traffic using tcpdump, and looked at it with ethereal. No packets with "data" appear to be making it out. The packets we have been seeing include; SMB "Tree Disconnect Request", SMB "Echo Request", NBNS "Name query NBSTAT" and some other "failed SMB" packets. At this point we are not sure if this is benign or malicious. Have others seen this type of unusual network traffic? The 1.11.0.0/16 network seems unreachable (no ping responses), how can this traffic be getting out (or where is it trying to go)? Any suggestions at other things to check? Sample firewall logs: Aug 10 05:15:48 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=40 S=0x00 I=42620 F=0x4000 T=128 (#13) Aug 10 05:15:49 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42665 F=0x4000 T=128 (#13) Aug 10 05:15:50 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42673 F=0x4000 T=128 (#13) Aug 10 05:15:51 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42694 F=0x4000 T=128 (#13) Aug 10 05:15:52 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42733 F=0x4000 T=128 (#13) Aug 10 05:15:55 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42783 F=0x4000 T=128 (#13) Aug 10 05:16:02 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42791 F=0x4000 T=128 (#13) Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11794 F=0x4000 T=128 (#13) Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11795 F=0x4000 T=128 (#13) ... Sep 8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23459 F=0x4000 T=128 (#13) Sep 8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23460 F=0x4000 T=128 (#13) Sep 8 18:04:26 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23600 F=0x4000 T=128 (#13) Sep 8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23601 F=0x4000 T=128 (#13) Sep 8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23602 F=0x4000 T=128 (#13) Sep 8 18:04:29 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23748 F=0x4000 T=128 (#13) Sep 8 18:04:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23906 F=0x4000 T=128 (#13) Sep 8 18:04:39 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=24135 F=0x4000 T=128 (#13) Sep 8 18:04:41 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=93 S=0x00 I=24136 F=0x4000 T=128 (#13)
Current thread:
- unusual 1.11.0.0/16 outbound traffic Federico Grau (Sep 15)
- RE: unusual 1.11.0.0/16 outbound traffic Michael Zanetta (Sep 15)
- Re: unusual 1.11.0.0/16 outbound traffic Andrew Heath (Sep 22)
- <Possible follow-ups>
- RE: unusual 1.11.0.0/16 outbound traffic Jim Harrison (ISA) (Sep 16)
- Re: unusual 1.11.0.0/16 outbound traffic James C. Slora Jr. (Sep 17)