Any idea what this is???
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Any idea what this is???

  1. #1

    Any idea what this is???

    I started seeing a ton of messages in my IDS (Snort) showing inbound ICMP Destination host unreachable message. I'm on a net that uses private IPs. The source IP is always one of two addresses. One is a private IP address that's not on my subnet, the other is a public IP address that's not part of my public address space, but that I believe is part of my ISP's network. The destination address is always the address of my workstation.

    I've disable the adapter and unplugged it from the network while I attempt to figure out what's going on. Any suggestions would be greatly appreciated.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sounds like a box on the ISP network has gone haywire.... I've seen similar...

    There are a couple of other explanations that may fit such as someone esle being DOSed using spoofed source addresses and that you got unlucky being he spoofed address.

    I wouldn't worry about it if you don't have an internal box pinging away... Run an ethereal dump for icmp and see what it tells you.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Okay, I definitely have a problem. I did an Ethereal capture, and there are a TON of SYN packets going from my machine to machines on the same subnet. What's so wierd is that they're getting through my ISPs routers and into his network, where he apparently is using a similar private addressing scheme. It's the ICMP messages of the hosts that aren't getting through the routers that appear to have triggered my IDS.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK... Clue me in....

    Is this a business network with people working on the machines? How many Machines? What do we call a "ton"?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Originally posted here by Tiger Shark
    OK... Clue me in....

    Is this a business network with people working on the machines? How many Machines? What do we call a "ton"?
    Yes, it's a business network. They are private IPs, so I can give you more information. The network that the problem host is on is 192.168.130.0/24. The packets I'm seeing are all SYNs from my host 192.168.130.226 to a wide variety of hosts with similar addresses such as 192.168.1.5, 192.168.30.20, etc. They're all in the 192.168.0.0 range, and there are a LOT of them. I didn't count them. Also, the destination ports are all microsoft-ds.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Then it looks like that box has a worm and is scanning it's neighboring subnets for more targets.... Close it doen immediately do you don't spread it any further on your network and scan it for viruses.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Originally posted here by Tiger Shark
    Then it looks like that box has a worm and is scanning it's neighboring subnets for more targets.... Close it doen immediately do you don't spread it any further on your network and scan it for viruses.
    I disconnected it from the network as soon as I saw the scans. It has no critical data. I'm gonna boot to Knoppix to scan it and see what I find, then I'll rebuild the machine. If I'm able to identify I'll post the results just in case anyone's interested. Thanks.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Er... Was it disconnected when you did the Ethereal dump? If it was then it might have done it's work. O would _definitely_ maintain an ethereal dump of the network to see if you can ID any other potentially infected boxes.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Okay, this keeps getting wierder. I powered down the computer that I was having problems with, but now when I do an Ethereal capture, I see a ton of scans for port 445 (microsoft-ds) originating from the external interface of my firewall. Everything that I've seen says that when you see this kind of traffic you should be looking for a Sasser/Blaster-type worm, but this is a Linux firewall. There's not traffic from internal IPs that shows that it's a host internally generating these scans, but it almost can't be coming from my firewall. Additionally, I set up a rule in the firewall on the outbound chain (yes, it's an old 2.2 kernel) to block everything with that source address to that destination port. Now when I do a netstat, I see nothing but normal connections being made. Is there a chance that these are somehow spoofed or is there something that I'm not thinking of?

    I run Symantec Corporate, and all of my clients are updated and have been scanned since this activity started.
    \"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
    - William F. Buckley Jr.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Is it possible that the firewall itself is compromised and being used to scan?

    That's the only thing I can think of off the top of my head.

    The way to prove whether or not the traffic is spoofed is to look at the MAC address. If the MAC address is that of your external interface then your firewall is generating the traffic. If it is the MAC address of your router then it is spoofed and you have nothing to worry about other than "WHY"?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •