Security Incidents mailing list archives
Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp)
From: loki74 <loki74 () gmail com>
Date: Thu, 24 Aug 2006 11:59:17 -0400
Static IP. Nothing in LMHosts. There is no IP of 100.100.100.1, I added a host of 100.100.100.2, and nmap'd. It is odd... On 8/24/06, Joel Esler <joel.esler () sourcefire com> wrote:
Do you have an IP on your network of 100.100.100.1? Joel On Thu, Aug 24, 2006 at 10:42:28AM -0400, loki74 apparently sent me: > Hello, > I have posted before about a windows box that sent traffic to > different ip's to port 137, and never really got a solution to it. We > have sinced wiped that box. Now we have a new box, built in a DMZ > (Freshh install, all patches applied) and just connected it to the > internal lan (behind fw). The box now sends UDP port 137 to > 100.100.100.1. The permiter firewall blocks this, and that is where > it was noticed. I have started logging on my firewall to find out who > it was, and it is an internal box. > > Cisco ACL: > > Aug 24 12:28:42: %SEC-6-IPACCESSLOGP: list internal_out denied udp > x.x.x.x(49375) -> 100.100.100.1(137), 5 packets > > Firewall Log: > > eth4c0:i[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167 > UDP: 137 -> 137 > eth4c0:I[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167 > UDP: 137 -> 137 > eth1c0:o[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167 > UDP: 137 -> 137 > eth1c0:O[78]: 68.163.87.34 -> 100.100.100.1 (UDP) len=78 id=13167 > UDP: 49902 -> 137 > > I am now capturing the traffic again, though there is nothing in it. > Anyone ever seen this? > > T > > ------------------------------------------------------------------------------ > This List Sponsored by: Black Hat > > Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal > tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security > environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 > delegates from 40+ nations. > http://www.blackhat.com > ------------------------------------------------------------------------------ > +---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+
------------------------------------------------------------------------------ This List Sponsored by: Black HatAttend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Odd traffic again...... internal --> 100.100.100.1 (137-udp) loki74 (Aug 24)
- Message not available
- Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) loki74 (Aug 24)
- Message not available
- Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) Tillmann Werner (Aug 24)
- <Possible follow-ups>
- Re: Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) i . m . crazy . frog (Aug 26)
- Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) Kevin Johnson (Aug 26)