From my network?

Printable View

August 8th, 2006, 05:04 AM
jeremy85

From my network?

I am Learning Sort (yea)
I am getting this traffic i wasnt 2 worried about it till i saw that my network was sending it.
bout every half hour 4 of these to 2 different address at 80 and 8080.

I am running smoothwall 2.0 with all patches
DSL with a 2wire modem (wireless off)
Snort reported (The 127 is my external ip address)
Date: 08/07 00:52:13 Name: (http_inspect) BARE BYTE UNICODE ENCODING
Priority: n/a Type: n/a
IP info: 127.0.0.1:2433 -> 206.188.170.209:80
References: none found

One IP was down the one above typed into firefox offered me a file to download i have the file it is machine code (pretty sure).

What bothers me most is during my learning curve i ended up reloading almost every box on my network. I did a trend micro scan on my surfing box and only found three cookies. I really dont think this is coming from my network but it would be nice to know for sure and to keep my logger quiet.
Thanks alot for all responses
J
August 8th, 2006, 09:27 AM
SirDice

We get these a lot.. Mostly false positives.. Look at the actual traffic to make sure it really is a false positive.
August 8th, 2006, 09:45 AM
nihil

Good reply SirDice as you well know, this is not my area at all, but I do recall something about cookies (very large ones?) causing this sort of reaction?

For Jeremy , I would suggest that you bookmark these links:

http://virusscan.jotti.org/
http://www.virustotal.com/en/indexf.html

You submit a file to them, and they scan it with the very latest versions of a number of antivirus/antimalware applications.

Also: http://www.dnsstuff.com/ has a reasonably comprehensive set of internet lookup tools.........but PLEASE remember that IP addresses can be spoofed in certain circumstances

;)
August 8th, 2006, 10:21 AM
SirDice

Quote:

Originally posted here by nihil
Good reply SirDice as you well know, this is not my area at all, but I do recall something about cookies (very large ones?) causing this sort of reaction?

Cookies and any type of URL with a large (hexadecimal) string in them..

Like http://somesite/script.cgi?var=aabbccddeeffdeadbeeff00d
August 8th, 2006, 12:09 PM
steve.milner

A simple whois of 206.188.170.209 reveals:

OrgName: 702 communications
OrgID: 702COM
Address: 702 Main Ave
City: Moorhead
StateProv: MN
PostalCode: 56560
Country: US

This isn't your ISP by any chance is it?
August 8th, 2006, 12:55 PM
Und3ertak3r

Quote:

IP info: 127.0.0.1:2433 -> 206.188.170.209:80

why is information comming from the loop back address.. or have you dummied this?..

where are you running SNORT? I assume that is your first line or is it SORT?.. is it running on the smoothwall box or are you running it locally on one of your pc's in othere words where are you recording this information...

Quote:

One IP was down the one above typed into firefox offered me a file to download i have the file it is machine code (pretty sure).

Well what sort of a file is it.. does it have a name.. how about sharing it with us to disect (zip it and upload)
August 8th, 2006, 01:45 PM
jeremy85

>why is information comming from the loop back address.. or have you dummied this?..

I did dummy it the real address is my external ip

>where are you running SNORT? I assume that is your first line or is it SORT?.. is it running on the >smoothwall box or are you running it locally on one of your pc's in othere words where are you >recording this information...

It is running on my firewall (smoothwall)

>Well what sort of a file is it.. does it have a name.. how about sharing it with us to disect (zip it >and upload)

sorry for not attaching the file should be here now

>A simple whois of 206.188.170.209 reveals:

>OrgName: 702 communications
>OrgID: 702COM
>Address: 702 Main Ave
>City: Moorhead
>StateProv: MN
>PostalCode: 56560
>Country: US

>This isn't your ISP by any chance is it?

Not even close :D
I can post my ip just not used 2 seeing ip's listed i almost didnt post the other but since it was "live" i figured i could pull it if needed.

>Good reply SirDice as you well know, this is not my area at all, but I do recall something about >cookies (very large ones?) causing this sort of reaction?
>Cookies and any type of URL with a large (hexadecimal) string in them.

If that were the case wouldnt i see port 80 or a common port instead of them being different ie"2433"

oh i do have bittorrent running on one of my internal boxes.
i am under the impression that this is a false postive how do i look at the traffic?
Thanks again
jeremy
August 8th, 2006, 01:52 PM
SirDice

Quote:

If that were the case wouldnt i see port 80 or a common port instead of them being different ie"2433"

Don't confuse source and destination ports ;)

The source port is usually a "random" port.

Quote:

i am under the impression that this is a false postive how do i look at the traffic?

Not sure but I do think smoothwall comes with tcpdump.
August 8th, 2006, 03:26 PM
steve.milner

Quote:

>This isn't your ISP by any chance is it?

Not even close
I can post my ip just not used 2 seeing ip's listed i almost didnt post the other but since it was "live" i figured i could pull it if needed.

ISP not IP. Who is your internet service provider 702com or related company?

Steve
August 8th, 2006, 04:11 PM
jeremy85

Quote:

ISP not IP. Who is your internet service provider 702com or related company?

SBC Internet Services SBCIS-SIS80 (NET-68-248-0-0-1)
68.248.0.0 - 68.255.255.255

I did a scan at virustotal on the file i downloaded and it came back clean.
that address is still handing out files so i got a few more and used a hex editor.
It looks to me like it is encrypted. No steady breaks or file size.