From my network?
Results 1 to 10 of 10

Thread: From my network?

  1. #1
    Junior Member
    Join Date
    Feb 2004
    Posts
    12

    From my network?

    I am Learning Sort (yea)
    I am getting this traffic i wasnt 2 worried about it till i saw that my network was sending it.
    bout every half hour 4 of these to 2 different address at 80 and 8080.


    I am running smoothwall 2.0 with all patches
    DSL with a 2wire modem (wireless off)
    Snort reported (The 127 is my external ip address)
    Date: 08/07 00:52:13 Name: (http_inspect) BARE BYTE UNICODE ENCODING
    Priority: n/a Type: n/a
    IP info: 127.0.0.1:2433 -> 206.188.170.209:80
    References: none found

    One IP was down the one above typed into firefox offered me a file to download i have the file it is machine code (pretty sure).

    What bothers me most is during my learning curve i ended up reloading almost every box on my network. I did a trend micro scan on my surfing box and only found three cookies. I really dont think this is coming from my network but it would be nice to know for sure and to keep my logger quiet.
    Thanks alot for all responses
    J

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    We get these a lot.. Mostly false positives.. Look at the actual traffic to make sure it really is a false positive.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Good reply SirDice as you well know, this is not my area at all, but I do recall something about cookies (very large ones?) causing this sort of reaction?

    For Jeremy , I would suggest that you bookmark these links:

    http://virusscan.jotti.org/
    http://www.virustotal.com/en/indexf.html

    You submit a file to them, and they scan it with the very latest versions of a number of antivirus/antimalware applications.

    Also: http://www.dnsstuff.com/ has a reasonably comprehensive set of internet lookup tools.........but PLEASE remember that IP addresses can be spoofed in certain circumstances


  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by nihil
    Good reply SirDice as you well know, this is not my area at all, but I do recall something about cookies (very large ones?) causing this sort of reaction?
    Cookies and any type of URL with a large (hexadecimal) string in them..

    Like http://somesite/script.cgi?var=aabbccddeeffdeadbeeff00d
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    A simple whois of 206.188.170.209 reveals:

    OrgName: 702 communications
    OrgID: 702COM
    Address: 702 Main Ave
    City: Moorhead
    StateProv: MN
    PostalCode: 56560
    Country: US

    This isn't your ISP by any chance is it?
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    IP info: 127.0.0.1:2433 -> 206.188.170.209:80
    why is information comming from the loop back address.. or have you dummied this?..

    where are you running SNORT? I assume that is your first line or is it SORT?.. is it running on the smoothwall box or are you running it locally on one of your pc's in othere words where are you recording this information...

    One IP was down the one above typed into firefox offered me a file to download i have the file it is machine code (pretty sure).
    Well what sort of a file is it.. does it have a name.. how about sharing it with us to disect (zip it and upload)
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    Junior Member
    Join Date
    Feb 2004
    Posts
    12
    >why is information comming from the loop back address.. or have you dummied this?..

    I did dummy it the real address is my external ip

    >where are you running SNORT? I assume that is your first line or is it SORT?.. is it running on the >smoothwall box or are you running it locally on one of your pc's in othere words where are you >recording this information...

    It is running on my firewall (smoothwall)

    >Well what sort of a file is it.. does it have a name.. how about sharing it with us to disect (zip it >and upload)

    sorry for not attaching the file should be here now

    >A simple whois of 206.188.170.209 reveals:

    >OrgName: 702 communications
    >OrgID: 702COM
    >Address: 702 Main Ave
    >City: Moorhead
    >StateProv: MN
    >PostalCode: 56560
    >Country: US

    >This isn't your ISP by any chance is it?

    Not even close
    I can post my ip just not used 2 seeing ip's listed i almost didnt post the other but since it was "live" i figured i could pull it if needed.

    >Good reply SirDice as you well know, this is not my area at all, but I do recall something about >cookies (very large ones?) causing this sort of reaction?
    >Cookies and any type of URL with a large (hexadecimal) string in them.

    If that were the case wouldnt i see port 80 or a common port instead of them being different ie"2433"

    oh i do have bittorrent running on one of my internal boxes.
    i am under the impression that this is a false postive how do i look at the traffic?
    Thanks again
    jeremy

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If that were the case wouldnt i see port 80 or a common port instead of them being different ie"2433"
    Don't confuse source and destination ports

    The source port is usually a "random" port.

    i am under the impression that this is a false postive how do i look at the traffic?
    Not sure but I do think smoothwall comes with tcpdump.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    >This isn't your ISP by any chance is it?

    Not even close
    I can post my ip just not used 2 seeing ip's listed i almost didnt post the other but since it was "live" i figured i could pull it if needed.
    ISP not IP. Who is your internet service provider 702com or related company?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  10. #10
    Junior Member
    Join Date
    Feb 2004
    Posts
    12
    ISP not IP. Who is your internet service provider 702com or related company?

    SBC Internet Services SBCIS-SIS80 (NET-68-248-0-0-1)
    68.248.0.0 - 68.255.255.255

    I did a scan at virustotal on the file i downloaded and it came back clean.
    that address is still handing out files so i got a few more and used a hex editor.
    It looks to me like it is encrypted. No steady breaks or file size.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •