|
Posted by tiffini on December 29, 2006, 12:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I have noticed some interesting traffic coming from one of my pc's and then to
one of my pc's.
First a little background.
I have a befsr41 router with snmp :-) So I can log traffic going into my
little network using wallwatcher and opmanager.
I have one XP machine I leave on a lot. I notice that it is sending UDP
outbound from L-port 137 to R-port 137. Then in a relatively short amount of
time I see an inbound request from a different IP to ports 1026 ,1027, and 1028
from a different IP that the 137 was sent from. I have norton's running, and ad
aware and spybot don't show anything.
The addresses seem to come from anywhere China, hong kong, even the US and
Canada.
Any Ideas of what this is:
Log Snips:
-------------
alert_audit435.txt:20:54:06:542 ALERTAUDIT: Update: from Clear to Clear at Tue
Dec 26 20:54:06 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 221.6.163.50:137
alert_audit435.txt- alert_audit435.txt-20:54:45:033 ALERTAUDIT: System Clear:
Tue Dec 26 20:54:44 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 202.97.238.132:32957 to WANIP:1026
alert_audit435.txt- alert_audit435.txt-20:55:43:724 ALERTAUDIT: Update: from
Clear to Clear at Tue Dec 26 20:55:43 CST 2006. Alert:
10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from
24.64.159.205:19437 to WANIP:1027
alert_audit435.txt- alert_audit435.txt-20:55:43:836 ALERTAUDIT: System Clear:
Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1028
alert_audit435.txt- Log Snips:
-------------
alert_audit435.txt:22:01:00:913 ALERTAUDIT: System Clear: Tue Dec 26 22:01:00
CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.19.74:137
alert_audit435.txt- alert_audit435.txt-22:01:42:516 ALERTAUDIT: Update: from
Clear to Clear at Tue Dec 26 22:01:42 CST 2006. Alert:
10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from
24.191.3.147:25931 to WANIP:1026
alert_audit435.txt- alert_audit435.txt-22:02:43:193 ALERTAUDIT: System Clear:
Tue Dec 26 22:02:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1027
alert_audit435.txt- alert_audit435.txt-22:02:43:213 ALERTAUDIT: Update: from
Clear to Clear at Tue Dec 26 22:02:43 CST 2006. Alert:
10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from
24.64.255.139:16957 to WANIP:1028
alert_audit435.txt- Log Snips:
-------------
alert_audit436.txt:22:36:32:840 ALERTAUDIT: Update: from Clear to Clear at Tue
Dec 26 22:36:32 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 204.16.209.30:137
alert_audit436.txt- alert_audit436.txt-22:38:33:569 ALERTAUDIT: Update: from
Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert:
10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from
24.64.252.244:10501 to WANIP:1026
alert_audit436.txt- alert_audit436.txt-22:38:33:686 ALERTAUDIT: System Clear:
Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
alert_audit436.txt- alert_audit436.txt-22:38:33:694 ALERTAUDIT: Update: from
Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert:
10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from
24.64.252.244:10501 to WANIP:1027
alert_audit436.txt- alert_audit436.txt-22:38:33:697 ALERTAUDIT: System Clear:
Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1028
alert_audit436.txt-
Log Snips:
-------------
alert_audit436.txt:22:45:48:878 ALERTAUDIT: Update: from Clear to Clear at Tue
Dec 26 22:45:48 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.5.208:137
alert_audit436.txt- alert_audit436.txt-22:51:51:654 ALERTAUDIT: System Clear:
Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
alert_audit436.txt- alert_audit436.txt-22:51:51:661 ALERTAUDIT: Update: from
Clear to Clear at Tue Dec 26 22:51:51 CST 2006. Alert:
10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from
204.16.208.76:37844 to WANIP:1026
alert_audit436.txt- alert_audit436.txt-22:51:51:769 ALERTAUDIT: System Clear:
Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic
.1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1027
alert_audit436.txt-
|
|
Posted by Anders on December 29, 2006, 12:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
tiffini skrev:
> Hi,
>
> I have noticed some interesting traffic coming from one of my pc's and
> then to one of my pc's.
> First a little background.
> I have a befsr41 router with snmp :-) So I can log traffic going into
> my little network using wallwatcher and opmanager.
>
> I have one XP machine I leave on a lot. I notice that it is sending UDP
> outbound from L-port 137 to R-port 137. Then in a relatively short
> amount of time I see an inbound request from a different IP to ports
> 1026 ,1027, and 1028 from a different IP that the 137 was sent from. I
> have norton's running, and ad aware and spybot don't show anything.
> The addresses seem to come from anywhere China, hong kong, even the US
> and Canada.
>
>
> Any Ideas of what this is:
>
Ports 137,138,139 and 445 is file sharing protocols mainly for Windoze
machine's or system running SMB.
If you can close this ports in you're router, do that.
Ports 1024, 1025, 1027, 1028, 1029 and 1030 is normally used by spam
coming from almost anywhere.
Closing this ones is a god idea to do, so you don't get nice little
pop-ups asking you stupid questions.
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
|
|
Posted by tiffini on December 29, 2006, 2:39 pm
If you were Registered and logged in, you could reply and use other advanced thread options
How do I find the app that is sending it out? I have an XP sp2 machine that is
sending it.
As I said, I have norton's running and ad aware and spybot. all came up clean.
One other thing to note. When I log into the machine. It takes a while for the
task bar to become clickable. Longer than the other machines, if that helps at
all.
Tif
> Ports 1024, 1025, 1027, 1028, 1029 and 1030 is normally used by spam
> coming from almost anywhere.
> Closing this ones is a god idea to do, so you don't get nice little
> pop-ups asking you stupid questions.
>
|
|
Posted by tiffini on December 29, 2006, 2:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I'll lock down the ports you recommend 1024-1030, and 137.
How do I find the app that is sending it out? I have an XP sp2 machine that is
sending it.
As I said, I have norton's running and ad aware and spybot. all came up clean.
One other thing to note. When I log into the machine. It takes a while for the
task bar to become clickable. Longer than the other machines, if that helps at
all.
Tif
|
|
Posted by Anders on December 29, 2006, 3:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> I'll lock down the ports you recommend 1024-1030, and 137.
>
> How do I find the app that is sending it out? I have an XP sp2 machine
> that is sending it.
>
> As I said, I have norton's running and ad aware and spybot. all came up
> clean.
> One other thing to note. When I log into the machine. It takes a while
> for the task bar to become clickable. Longer than the other machines,
> if that helps at all.
>
> Tif
Maybe you have some preconfig rule in you're router that can block UPnP.
Then it comes to find any apps/malware it can be a little more trickier,
(how well do you now you're system..?) rather then relay on some
programs like Spyboot and AdWare (I don't say that it is a bad thing
using this programs, but they don't find everything).
There was a wile ago sens I was using Windows now but if I was you I
should have a look at the processes that starts up with the system using
HijackThis, too see if I could find anything unusual there.
Link:
http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=topic
--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'
|
| Similar Threads | Posted | | An interesting article | September 29, 2005, 9:49 pm |
| something interesting ( at least to me ) IP recovered | October 31, 2005, 4:27 pm |
| an interesting take on the 0-day exploit | December 30, 2005, 4:56 pm |
| Interesting statistics | January 31, 2006, 8:16 pm |
| Moon's interesting e-spy legend | August 9, 2006, 7:51 am |
| interesting alerts on Zonealarm recently - what do I do? | November 26, 2006, 7:26 pm |
| Kerberos Decrypted - Interesting URLs on how kerberos work | July 4, 2006, 12:59 am |
| need traffic tool | August 27, 2005, 5:31 am |
| Windows Traffic Sniffer | August 18, 2005, 1:31 pm |
| Ok to let all ICMP traffic through firewall? | September 22, 2005, 11:14 pm |
|
XML site map