-
Any idea what this is???
I started seeing a ton of messages in my IDS (Snort) showing inbound ICMP Destination host unreachable message. I'm on a net that uses private IPs. The source IP is always one of two addresses. One is a private IP address that's not on my subnet, the other is a public IP address that's not part of my public address space, but that I believe is part of my ISP's network. The destination address is always the address of my workstation.
I've disable the adapter and unplugged it from the network while I attempt to figure out what's going on. Any suggestions would be greatly appreciated.
-
Sounds like a box on the ISP network has gone haywire.... I've seen similar...
There are a couple of other explanations that may fit such as someone esle being DOSed using spoofed source addresses and that you got unlucky being he spoofed address.
I wouldn't worry about it if you don't have an internal box pinging away... Run an ethereal dump for icmp and see what it tells you.
-
Okay, I definitely have a problem. I did an Ethereal capture, and there are a TON of SYN packets going from my machine to machines on the same subnet. What's so wierd is that they're getting through my ISPs routers and into his network, where he apparently is using a similar private addressing scheme. It's the ICMP messages of the hosts that aren't getting through the routers that appear to have triggered my IDS.
-
OK... Clue me in....
Is this a business network with people working on the machines? How many Machines? What do we call a "ton"?
-
Quote:
Originally posted here by Tiger Shark
OK... Clue me in....
Is this a business network with people working on the machines? How many Machines? What do we call a "ton"?
Yes, it's a business network. They are private IPs, so I can give you more information. The network that the problem host is on is 192.168.130.0/24. The packets I'm seeing are all SYNs from my host 192.168.130.226 to a wide variety of hosts with similar addresses such as 192.168.1.5, 192.168.30.20, etc. They're all in the 192.168.0.0 range, and there are a LOT of them. I didn't count them. Also, the destination ports are all microsoft-ds.
-
Then it looks like that box has a worm and is scanning it's neighboring subnets for more targets.... Close it doen immediately do you don't spread it any further on your network and scan it for viruses.
-
Quote:
Originally posted here by Tiger Shark
Then it looks like that box has a worm and is scanning it's neighboring subnets for more targets.... Close it doen immediately do you don't spread it any further on your network and scan it for viruses.
I disconnected it from the network as soon as I saw the scans. It has no critical data. I'm gonna boot to Knoppix to scan it and see what I find, then I'll rebuild the machine. If I'm able to identify I'll post the results just in case anyone's interested. Thanks.
-
Er... Was it disconnected when you did the Ethereal dump? If it was then it might have done it's work. O would _definitely_ maintain an ethereal dump of the network to see if you can ID any other potentially infected boxes.
-
Okay, this keeps getting wierder. I powered down the computer that I was having problems with, but now when I do an Ethereal capture, I see a ton of scans for port 445 (microsoft-ds) originating from the external interface of my firewall. Everything that I've seen says that when you see this kind of traffic you should be looking for a Sasser/Blaster-type worm, but this is a Linux firewall. There's not traffic from internal IPs that shows that it's a host internally generating these scans, but it almost can't be coming from my firewall. Additionally, I set up a rule in the firewall on the outbound chain (yes, it's an old 2.2 kernel) to block everything with that source address to that destination port. Now when I do a netstat, I see nothing but normal connections being made. Is there a chance that these are somehow spoofed or is there something that I'm not thinking of?
I run Symantec Corporate, and all of my clients are updated and have been scanned since this activity started.
-
Is it possible that the firewall itself is compromised and being used to scan?
That's the only thing I can think of off the top of my head.
The way to prove whether or not the traffic is spoofed is to look at the MAC address. If the MAC address is that of your external interface then your firewall is generating the traffic. If it is the MAC address of your router then it is spoofed and you have nothing to worry about other than "WHY"?
-
The MAC matches, but if my host is compromised, shouldn't I be seeing a ton of open connections when I do 'netstat -l'? It's generating about 100 packets/second, so you would think that I would have that many open high-number ports waiting for replies.
-
The MAC matches the firewall is what I hear you saying.....
You wouldn't see anything awry in the netstat if there is a user level or kernel level rootkit on the box hiding the activity from you.
Before we make the assumption that there is a rootkit there I would like the opinion of some others here.....
ANYONE?????
-
I think I posted this once before, its an old trick, but that's an old box ...
Log into the firewall box and type the command
grep :x:0: /etc/passwd
The ONLY line you should see is
“ root:x:0:0:root:/root:/bin/bash “
May or may not tell you if you've been cracked, but if you see more then one ....
-
Solved. It appears that two machines on my network had Sasser. The reason the connections weren't showing in netstat was because I just wasn't using the right switches. This is my gateway device, and also NATs my private IPs. I needed to issue netstat -M to show masqueraded connections. As soon as I did that, it showed me the internal IPs that were scanning for 445. I patched and cleaned them, and we're back in business. Thanks for your time, everyone.
-
Bingo!!!!!
I'll award myself 8 smartie points for not trusting your original analysis, not knowing crap about *nix and asking for further advice from the better qualified on *nix before trying to come to a conclusion...... :cool:
