Security Incidents mailing list archives

Re: unusual 1.11.0.0/16 outbound traffic

From: Andrew Heath <ah228 () cornell edu>
Date: Mon, 20 Sep 2004 11:28:46 -0400

I saw similar traffic to this when a consultant typo'ed the AD domain namein a remote office re-install. The clients began trying to authenticateand connect against a server on the other side of the world and logged up alot of bogus outgoing 445's.


At 05:23 PM 9/14/2004, Federico Grau wrote:

Hello Incidents folk,

We have been seeing an increasing amount of unusual network activity trying to
get out of our internal LAN.  What is most odd about this traffic is that the
traffic is directed to the 1.11.0.0./16 subnet (an IANA Reserved subnet, which
I believe is to be used for VPNs).

The activity began 2004-08-10 with 4 machines trying to send packets out at
different times.  Slowly the number of machines trying to send out this
network traffic has grown to 18 last week.

<snip>
Sep 8 18:04:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23906 F=0x4000 T=128 (#13)Sep 8 18:04:39 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=24135 F=0x4000 T=128 (#13)Sep 8 18:04:41 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6172.30.2.201:4801 1.11.69.61:445 L=93 S=0x00 I=24136 F=0x4000 T=128 (#13)


Andrew Heath
Systems Administrator
Cornell Cooperative Extension

Current thread:

unusual 1.11.0.0/16 outbound traffic Federico Grau (Sep 15)
- RE: unusual 1.11.0.0/16 outbound traffic Michael Zanetta (Sep 15)
- Re: unusual 1.11.0.0/16 outbound traffic Andrew Heath (Sep 22)
- <Possible follow-ups>
- RE: unusual 1.11.0.0/16 outbound traffic Jim Harrison (ISA) (Sep 16)
  - Re: unusual 1.11.0.0/16 outbound traffic James C. Slora Jr. (Sep 17)