interesting traffic

Discussion in 'Computer Security' started by tiffini, Dec 29, 2006.

  1. tiffini

    tiffini Guest

    Hi,

    I have noticed some interesting traffic coming from one of my pc's and then to one of my pc's.
    First a little background.
    I have a befsr41 router with snmp :) So I can log traffic going into my little network using wallwatcher and opmanager.

    I have one XP machine I leave on a lot. I notice that it is sending UDP outbound from L-port 137 to R-port 137. Then in a relatively short amount of time I see an inbound request from a different IP to ports 1026 ,1027, and 1028 from a different IP that the 137 was sent from. I have norton's running, and ad aware and spybot don't show anything.
    The addresses seem to come from anywhere China, hong kong, even the US and Canada.


    Any Ideas of what this is:







    Log Snips:
    -------------

    alert_audit435.txt:20:54:06:542 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 20:54:06 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 221.6.163.50:137
    alert_audit435.txt- alert_audit435.txt-20:54:45:033 ALERTAUDIT: System Clear: Tue Dec 26 20:54:44 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 202.97.238.132:32957 to WANIP:1026
    alert_audit435.txt- alert_audit435.txt-20:55:43:724 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1027
    alert_audit435.txt- alert_audit435.txt-20:55:43:836 ALERTAUDIT: System Clear: Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1028
    alert_audit435.txt- Log Snips:
    -------------


    alert_audit435.txt:22:01:00:913 ALERTAUDIT: System Clear: Tue Dec 26 22:01:00 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.19.74:137
    alert_audit435.txt- alert_audit435.txt-22:01:42:516 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:01:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.191.3.147:25931 to WANIP:1026
    alert_audit435.txt- alert_audit435.txt-22:02:43:193 ALERTAUDIT: System Clear: Tue Dec 26 22:02:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1027
    alert_audit435.txt- alert_audit435.txt-22:02:43:213 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:02:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1028
    alert_audit435.txt- Log Snips:
    -------------

    alert_audit436.txt:22:36:32:840 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:36:32 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 204.16.209.30:137
    alert_audit436.txt- alert_audit436.txt-22:38:33:569 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1026
    alert_audit436.txt- alert_audit436.txt-22:38:33:686 ALERTAUDIT: System Clear: Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
    alert_audit436.txt- alert_audit436.txt-22:38:33:694 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
    alert_audit436.txt- alert_audit436.txt-22:38:33:697 ALERTAUDIT: System Clear: Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1028
    alert_audit436.txt-


    Log Snips:
    -------------

    alert_audit436.txt:22:45:48:878 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:45:48 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.5.208:137
    alert_audit436.txt- alert_audit436.txt-22:51:51:654 ALERTAUDIT: System Clear: Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
    alert_audit436.txt- alert_audit436.txt-22:51:51:661 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
    alert_audit436.txt- alert_audit436.txt-22:51:51:769 ALERTAUDIT: System Clear: Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1027
    alert_audit436.txt-
    tiffini, Dec 29, 2006
    #1
    1. Advertising

  2. tiffini

    Anders Guest

    tiffini skrev:
    > Hi,
    >
    > I have noticed some interesting traffic coming from one of my pc's and
    > then to one of my pc's.
    > First a little background.
    > I have a befsr41 router with snmp :) So I can log traffic going into
    > my little network using wallwatcher and opmanager.
    >
    > I have one XP machine I leave on a lot. I notice that it is sending UDP
    > outbound from L-port 137 to R-port 137. Then in a relatively short
    > amount of time I see an inbound request from a different IP to ports
    > 1026 ,1027, and 1028 from a different IP that the 137 was sent from. I
    > have norton's running, and ad aware and spybot don't show anything.
    > The addresses seem to come from anywhere China, hong kong, even the US
    > and Canada.
    >
    >
    > Any Ideas of what this is:
    >

    Ports 137,138,139 and 445 is file sharing protocols mainly for Windoze
    machine's or system running SMB.
    If you can close this ports in you're router, do that.

    Ports 1024, 1025, 1027, 1028, 1029 and 1030 is normally used by spam
    coming from almost anywhere.
    Closing this ones is a god idea to do, so you don't get nice little
    pop-ups asking you stupid questions.

    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'
    Anders, Dec 29, 2006
    #2
    1. Advertising

  3. tiffini

    tiffini Guest

    I'll lock down the ports you recommend 1024-1030, and 137.

    How do I find the app that is sending it out? I have an XP sp2 machine that is sending it.

    As I said, I have norton's running and ad aware and spybot. all came up clean.

    One other thing to note. When I log into the machine. It takes a while for the task bar to become clickable. Longer than the other machines, if that helps at all.

    Tif




    > Ports 1024, 1025, 1027, 1028, 1029 and 1030 is normally used by spam
    > coming from almost anywhere.
    > Closing this ones is a god idea to do, so you don't get nice little
    > pop-ups asking you stupid questions.
    >
    tiffini, Dec 29, 2006
    #3
  4. tiffini

    tiffini Guest

    I'll lock down the ports you recommend 1024-1030, and 137.

    How do I find the app that is sending it out? I have an XP sp2 machine that is sending it.

    As I said, I have norton's running and ad aware and spybot. all came up clean.

    One other thing to note. When I log into the machine. It takes a while for the task bar to become clickable. Longer than the other machines, if that helps at all.

    Tif
    tiffini, Dec 29, 2006
    #4
  5. tiffini

    Anders Guest

    tiffini skrev:
    >
    > I'll lock down the ports you recommend 1024-1030, and 137.
    >
    > How do I find the app that is sending it out? I have an XP sp2 machine
    > that is sending it.
    >
    > As I said, I have norton's running and ad aware and spybot. all came up
    > clean.
    > One other thing to note. When I log into the machine. It takes a while
    > for the task bar to become clickable. Longer than the other machines,
    > if that helps at all.
    >
    > Tif


    Maybe you have some preconfig rule in you're router that can block UPnP.

    Then it comes to find any apps/malware it can be a little more trickier,
    (how well do you now you're system..?) rather then relay on some
    programs like Spyboot and AdWare (I don't say that it is a bad thing
    using this programs, but they don't find everything).
    There was a wile ago sens I was using Windows now but if I was you I
    should have a look at the processes that starts up with the system using
    HijackThis, too see if I could find anything unusual there.

    Link:
    http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=topic

    --
    /Anders
    -It is a terrible way to kill you self, this crucifying.
    -It's no way you be able to hammer in the last nail!
    The manic-depressive character 'Neil' from 'the Young one's'
    Anders, Dec 29, 2006
    #5
  6. From: "tiffini" <>

    | Hi,

    | I have noticed some interesting traffic coming from one of my pc's and then to one of
    | my pc's.
    | First a little background.
    | I have a befsr41 router with snmp :) So I can log traffic going into my little
    | network using wallwatcher and opmanager.

    | I have one XP machine I leave on a lot. I notice that it is sending UDP outbound from
    | L-port 137 to R-port 137. Then in a relatively short amount of time I see an inbound
    | request from a different IP to ports 1026 ,1027, and 1028 from a different IP that the
    | 137 was sent from. I have norton's running, and ad aware and spybot don't show
    | anything.
    | The addresses seem to come from anywhere China, hong kong, even the US and Canada.


    | Any Ideas of what this is:


    As always, I suggest specifically blocking Both UDP and TCP ports 135 ~ 139 and 445 on *any*
    SOHO Router.



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Dec 29, 2006
    #6
  7. From: "tiffini" <>


    | I'll lock down the ports you recommend 1024-1030, and 137.

    | How do I find the app that is sending it out? I have an XP sp2 machine that is sending
    | it.

    | As I said, I have norton's running and ad aware and spybot. all came up clean.

    | One other thing to note. When I log into the machine. It takes a while for the task
    | bar to become clickable. Longer than the other machines, if that helps at all.

    | Tif


    NO !

    Do NOT block 1024-1030.

    As stated before, on the Router, Block TCP and UDP ports 135 ~ 139 and 445.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Dec 29, 2006
    #7
  8. tiffini

    Robert Guest

    On Fri, 29 Dec 2006 13:40:22 -0600, tiffini wrote:

    > I'll lock down the ports you recommend 1024-1030, and 137.


    You should really lock down everything outbound that you don't need.

    > How do I find the app that is sending it out? I have an XP sp2 machine
    > that is sending it.


    XP it the App that is doing this. This is how windows talks with other
    window machines on the network.

    > As I said, I have norton's running and ad aware and spybot. all came up
    > clean.


    As they will. This is not an adware thing but a windows thing.

    > One other thing to note. When I log into the machine. It takes a while
    > for the task bar to become clickable. Longer than the other machines,
    > if that helps at all.


    This could be caused by many things. Mainly what is loaded when you log
    in and what it's trying to do while you are logging in.


    --

    Regards
    Robert

    Smile... it increases your face value!


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
    Robert, Dec 29, 2006
    #8
  9. tiffini

    Moe Trin Guest

    On Fri, 29 Dec 2006, in the Usenet newsgroup alt.computer.security, in article
    <g3flh.32$0F1.10@trnddc02>, David H. Lipman wrote:

    >From: "tiffini" <>


    [Did the O/P notice the responses to his earlier posting of this question
    in the newsgroup comp.os.linux.networking?]

    >| I'll lock down the ports you recommend 1024-1030, and 137.


    >NO !
    >
    >Do NOT block 1024-1030.


    Depending on the capabilities of your firewall (recognizing incoming
    packets in those ranges as being replies to something your systems sent
    out - verses unsolicited packets inbound) blocking those ports is quite
    reasonable. On my home firewall, I've been dropping incoming unrelated
    UDP to those ports for several years now. It's just ordinary messenger
    spam such as:

    STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

    Windows has found 55 Critical System Errors.

    To fix the errors please do the following:

    1. Download Registry Update from: www.some.spammers.website
    2. Install Registry Update
    3. Run Registry Update
    4. Reboot your computer

    FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!

    That one was captured on the firewall a couple of weeks ago when I was
    running a packet sniffer. Source address was bogus. Oh, and I know it's
    not real because I don't have any microsoft boxes, and the the spammers
    web site isn't microsoft.com - not that they give a hoot if your systems
    are 0wn3d.

    At work, we port shift any outgoing packets out of the 1025-1050 range
    (nearly all are DNS queries outbound) and drop any inbound to that range
    as they can't be valid replies to anything we've sent out. Last I bothered
    to measure, it was averaging a half Megabyte per day per IP address, so
    for a /16 network, that saves about a Gigabyte of bandwidth every _month_

    Using a packet sniffer to capture this crap, it's usually pretty obvious
    based on IP and UDP headers that the source is fake, and this most often
    seems to be coming from zombie windoze boxes on your ISPs local range.
    You _could_ bitch to your ISP about it, but the O/P is posting from
    Comcast which probably isn't going to know how to spell 'IP' much less
    know about port numbers and protocols.

    Old guy
    Moe Trin, Dec 30, 2006
    #9
  10. From: "Moe Trin" <>


    |
    | Depending on the capabilities of your firewall (recognizing incoming
    | packets in those ranges as being replies to something your systems sent
    | out - verses unsolicited packets inbound) blocking those ports is quite
    | reasonable. On my home firewall, I've been dropping incoming unrelated
    | UDP to those ports for several years now. It's just ordinary messenger
    | spam such as:
    |
    | STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
    |
    | Windows has found 55 Critical System Errors.
    |
    | To fix the errors please do the following:
    |
    | 1. Download Registry Update from: www.some.spammers.website
    | 2. Install Registry Update
    | 3. Run Registry Update
    | 4. Reboot your computer
    |
    | FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!
    |
    | That one was captured on the firewall a couple of weeks ago when I was
    | running a packet sniffer. Source address was bogus. Oh, and I know it's
    | not real because I don't have any microsoft boxes, and the the spammers
    | web site isn't microsoft.com - not that they give a hoot if your systems
    | are 0wn3d.
    |
    | At work, we port shift any outgoing packets out of the 1025-1050 range
    | (nearly all are DNS queries outbound) and drop any inbound to that range
    | as they can't be valid replies to anything we've sent out. Last I bothered
    | to measure, it was averaging a half Megabyte per day per IP address, so
    | for a /16 network, that saves about a Gigabyte of bandwidth every _month_
    |
    | Using a packet sniffer to capture this crap, it's usually pretty obvious
    | based on IP and UDP headers that the source is fake, and this most often
    | seems to be coming from zombie windoze boxes on your ISPs local range.
    | You _could_ bitch to your ISP about it, but the O/P is posting from
    | Comcast which probably isn't going to know how to spell 'IP' much less
    | know about port numbers and protocols.
    |
    | Old guy

    Thanx Moe Trin and Happy New Year.

    Hopefully this "Old guy" will grace us with his presence more often in 2007. :)

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Dec 30, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JustMe
    Replies:
    0
    Views:
    819
    JustMe
    Jul 14, 2003
  2. Pavlov
    Replies:
    0
    Views:
    813
    Pavlov
    Jul 14, 2003
  3. Michael T. Hall

    Re: Windows 2000 and Interesting traffic

    Michael T. Hall, Jul 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    852
    Michael T. Hall
    Jul 15, 2003
  4. professorguy
    Replies:
    3
    Views:
    611
    swapnendu
    Sep 19, 2006
  5. Ned
    Replies:
    3
    Views:
    1,259
    Trendkill
    Nov 7, 2007
Loading...

Share This Page