We have a Cisco ASA 5510 at our company. We have the logs being captured by a syslog deamon running on a server. We recently noticed some suspicious traffic that has occurred over the past month. It first happened on two seperate Sundays and then once during the week. The traffic is coming from one of our internal servers and traveling to two specific ip addresses over port 110. We scaned the server for virus and spyware and have not come up with anything as of yet. I contacted our ISP ( happens to be the same ISP as 64.156.4.191) and they said that the ip belongs to Computer Horizons Corp (http://www.computerhorizons.com/). I left a message with someone from their IT department and am awaiting a call back as we speak. I was just wondering if any of you guys have seen something like this before of knew of a way that I could investigate further?
Help!!!
- 192.168.8.13 is the internal interface of the FW
- 192.168.8.12 is the internal server
- xxx.xxx.185.142 is our outbound internet address.
- 64.156.4.191 and 161.58.90.220 are the questionable ip addresses
Here is a sample of the FW logs:
2006-07-02 08:44:56 Local7.Info 192.168.8.13 Jul 02 2006 07:33:45: %ASA-6-302013: Built outbound TCP connection 8300517 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3109 (xxx.xxx.185.142/11310)
2006-07-02 08:45:33 Local7.Info 192.168.8.13 Jul 02 2006 07:34:22: %ASA-6-302013: Built outbound TCP connection 8302470 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3112 (xxx.xxx.185.142/11342)
2006-07-02 08:47:05 Local7.Info 192.168.8.13 Jul 02 2006 07:35:54: %ASA-6-302014: Teardown TCP connection 8300517 for outside:64.156.4.191/110 to inside:192.168.8.12/3109 duration 0:02:09 bytes 13655484 TCP FINs
2006-07-02 08:48:56 Local7.Info 192.168.8.13 Jul 02 2006 07:37:45: %ASA-6-302014: Teardown TCP connection 8302470 for outside:64.156.4.191/110 to inside:192.168.8.12/3112 duration 0:03:22 bytes 23330812 TCP FINs
2006-07-02 08:48:57 Local7.Info 192.168.8.13 Jul 02 2006 07:37:46: %ASA-6-302013: Built outbound TCP connection 8313035 for outside:161.58.90.220/110 (161.58.90.220/110) to inside:192.168.8.12/3126 (xxx.xxx.185.142/11489)
2006-07-02 08:50:20 Local7.Info 192.168.8.13 Jul 02 2006 07:39:09: %ASA-6-302013: Built outbound TCP connection 8317179 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3128 (xxx.xxx.185.142/11548)
2006-07-02 08:50:26 Local7.Info 192.168.8.13 Jul 02 2006 07:39:15: %ASA-6-302013: Built outbound TCP connection 8317457 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3130 (xxx.xxx.185.142/11551)
2006-07-02 08:50:48 Local7.Info 192.168.8.13 Jul 02 2006 07:39:37: %ASA-6-302013: Built outbound TCP connection 8317903 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3132 (xxx.xxx.185.142/11559)
2006-07-02 09:10:13 Local7.Info 192.168.8.13 Jul 02 2006 07:59:02: %ASA-6-302014: Teardown TCP connection 8317457 for outside:64.156.4.191/110 to inside:192.168.8.12/3130 duration 0:19:46 bytes 102856876 TCP FINs
2006-07-02 09:11:10 Local7.Info 192.168.8.13 Jul 02 2006 07:59:59: %ASA-6-302014: Teardown TCP connection 8317903 for outside:64.156.4.191/110 to inside:192.168.8.12/3132 duration 0:20:22 bytes 102945072 TCP FINs
2006-07-02 09:11:26 Local7.Info 192.168.8.13 Jul 02 2006 08:00:15: %ASA-6-302014: Teardown TCP connection 8317179 for outside:64.156.4.191/110 to inside:192.168.8.12/3128 duration 0:21:05 bytes 103025020 TCP FINs
2006-07-02 09:12:48 Local7.Info 192.168.8.13 Jul 02 2006 08:01:37: %ASA-6-302014: Teardown TCP connection 8313035 for outside:161.58.90.220/110 to inside:192.168.8.12/3126 duration 0:23:51 bytes 103173072 TCP FINs
2006-07-02 09:27:31 Local7.Info 192.168.8.13 Jul 02 2006 08:16:21: %ASA-6-302013: Built outbound TCP connection 8346510 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3166 (xxx.xxx.185.142/12229)
2006-07-02 09:27:42 Local7.Info 192.168.8.13 Jul 02 2006 08:16:31: %ASA-6-302013: Built outbound TCP connection 8346643 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3168 (xxx.xxx.185.142/12235)
2006-07-02 09:27:50 Local7.Info 192.168.8.13 Jul 02 2006 08:16:40: %ASA-6-302013: Built outbound TCP connection 8346743 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3170 (xxx.xxx.185.142/12241)
2006-07-02 09:31:04 Local7.Info 192.168.8.13 Jul 02 2006 08:19:53: %ASA-6-302013: Built outbound TCP connection 8348927 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3186 (xxx.xxx.185.142/12318)
2006-07-02 09:47:51 Local7.Info 192.168.8.13 Jul 02 2006 08:36:40: %ASA-6-302014: Teardown TCP connection 8346510 for outside:64.156.4.191/110 to inside:192.168.8.12/3166 duration 0:20:19 bytes 102825408 TCP FINs
2006-07-02 09:48:51 Local7.Info 192.168.8.13 Jul 02 2006 08:37:41: %ASA-6-302014: Teardown TCP connection 8346643 for outside:64.156.4.191/110 to inside:192.168.8.12/3168 duration 0:21:09 bytes 102893008 TCP FINs
2006-07-02 09:49:05 Local7.Info 192.168.8.13 Jul 02 2006 08:37:55: %ASA-6-302014: Teardown TCP connection 8346743 for outside:64.156.4.191/110 to inside:192.168.8.12/3170 duration 0:21:14 bytes 102907940 TCP FINs
2006-07-02 09:51:14 Local7.Info 192.168.8.13 Jul 02 2006 08:40:03: %ASA-6-302014: Teardown TCP connection 8348927 for outside:64.156.4.191/110 to inside:192.168.8.12/3186 duration 0:20:10 bytes 102903653 TCP FINs
2006-07-02 09:53:40 Local7.Info 192.168.8.13 Jul 02 2006 08:42:30: %ASA-6-302013: Built outbound TCP connection 8368454 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3204 (xxx.xxx.185.142/12783)
2006-07-02 09:54:11 Local7.Info 192.168.8.13 Jul 02 2006 08:43:01: %ASA-6-302013: Built outbound TCP connection 8368953 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3206 (xxx.xxx.185.142/12790)
2006-07-02 09:54:17 Local7.Info 192.168.8.13 Jul 02 2006 08:43:06: %ASA-6-302013: Built outbound TCP connection 8369009 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3208 (xxx.xxx.185.142/12792)
2006-07-02 09:54:23 Local7.Info 192.168.8.13 Jul 02 2006 08:43:13: %ASA-6-302013: Built outbound TCP connection 8369086 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3210 (xxx.xxx.185.142/12794)
2006-07-02 09:56:18 Local7.Info 192.168.8.13 Jul 02 2006 08:45:08: %ASA-6-302013: Built outbound TCP connection 8370600 for outside:161.58.90.220/110 (161.58.90.220/110) to inside:192.168.8.12/3213 (xxx.xxx.185.142/12827)
2006-07-02 10:06:47 Local7.Info 192.168.8.13 Jul 02 2006 08:55:37: %ASA-6-302014: Teardown TCP connection 8369086 for outside:64.156.4.191/110 to inside:192.168.8.12/3210 duration 0:12:24 bytes 52066680 TCP FINs
2006-07-02 10:16:04 Local7.Info 192.168.8.13 Jul 02 2006 09:04:54: %ASA-6-302014: Teardown TCP connection 8368454 for outside:64.156.4.191/110 to inside:192.168.8.12/3204 duration 0:22:24 bytes 103023376 TCP FINs
2006-07-02 10:16:25 Local7.Info 192.168.8.13 Jul 02 2006 09:05:15: %ASA-6-302014: Teardown TCP connection 8369009 for outside:64.156.4.191/110 to inside:192.168.8.12/3208 duration 0:22:09 bytes 102851452 TCP FINs
2006-07-02 10:16:35 Local7.Info 192.168.8.13 Jul 02 2006 09:05:25: %ASA-6-302014: Teardown TCP connection 8368953 for outside:64.156.4.191/110 to inside:192.168.8.12/3206 duration 0:22:23 bytes 102895516 TCP FINs
2006-07-02 10:19:56 Local7.Info 192.168.8.13 Jul 02 2006 09:08:46: %ASA-6-302014: Teardown TCP connection 8370600 for outside:161.58.90.220/110 to inside:192.168.8.12/3213 duration 0:23:38 bytes 103065860 TCP FINs
2006-07-02 10:46:51 Local7.Info 192.168.8.13 Jul 02 2006 09:35:41: %ASA-6-302013: Built outbound TCP connection 8419169 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3278 (xxx.xxx.185.142/15496)
2006-07-02 10:46:57 Local7.Info 192.168.8.13 Jul 02 2006 09:35:47: %ASA-6-302013: Built outbound TCP connection 8419227 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3281 (xxx.xxx.185.142/15499)
2006-07-02 10:47:03 Local7.Info 192.168.8.13 Jul 02 2006 09:35:53: %ASA-6-302013: Built outbound TCP connection 8419310 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3283 (xxx.xxx.185.142/15502)
2006-07-02 10:47:08 Local7.Info 192.168.8.13 Jul 02 2006 09:35:58: %ASA-6-302013: Built outbound TCP connection 8419411 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3285 (xxx.xxx.185.142/15508)
2006-07-02 11:03:29 Local7.Info 192.168.8.13 Jul 02 2006 09:52:19: %ASA-6-302013: Built outbound TCP connection 8433587 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3330 (xxx.xxx.185.142/16617)
2006-07-02 11:09:18 Local7.Info 192.168.8.13 Jul 02 2006 09:58:08: %ASA-6-302014: Teardown TCP connection 8419169 for outside:64.156.4.191/110 to inside:192.168.8.12/3278 duration 0:22:27 bytes 102897068 TCP FINs
2006-07-02 11:09:22 Local7.Info 192.168.8.13 Jul 02 2006 09:58:12: %ASA-6-302014: Teardown TCP connection 8419411 for outside:64.156.4.191/110 to inside:192.168.8.12/3285 duration 0:22:14 bytes 102872432 TCP FINs
2006-07-02 11:09:40 Local7.Info 192.168.8.13 Jul 02 2006 09:58:30: %ASA-6-302014: Teardown TCP connection 8433587 for outside:64.156.4.191/110 to inside:192.168.8.12/3330 duration 0:06:11 bytes 23327452 TCP FINs
2006-07-02 11:09:41 Local7.Info 192.168.8.13 Jul 02 2006 09:58:31: %ASA-6-302014: Teardown TCP connection 8419310 for outside:64.156.4.191/110 to inside:192.168.8.12/3283 duration 0:22:38 bytes 102979740 TCP FINs
2006-07-02 11:09:43 Local7.Info 192.168.8.13 Jul 02 2006 09:58:33: %ASA-6-302014: Teardown TCP connection 8419227 for outside:64.156.4.191/110 to inside:192.168.8.12/3281 duration 0:22:45 bytes 102876672 TCP FINs
2006-07-02 11:10:02 Local7.Info 192.168.8.13 Jul 02 2006 09:58:53: %ASA-6-302013: Built outbound TCP connection 8440516 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3358 (xxx.xxx.185.142/16866)
2006-07-02 11:10:07 Local7.Info 192.168.8.13 Jul 02 2006 09:58:57: %ASA-6-302013: Built outbound TCP connection 8440569 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3360 (xxx.xxx.185.142/16870)
2006-07-02 11:10:13 Local7.Info 192.168.8.13 Jul 02 2006 09:59:04: %ASA-6-302013: Built outbound TCP connection 8440651 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3362 (xxx.xxx.185.142/16875)
2006-07-02 11:10:20 Local7.Info 192.168.8.13 Jul 02 2006 09:59:10: %ASA-6-302013: Built outbound TCP connection 8440737 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3364 (xxx.xxx.185.142/16882)
2006-07-02 11:31:14 Local7.Info 192.168.8.13 Jul 02 2006 10:20:05: %ASA-6-302014: Teardown TCP connection 8440569 for outside:64.156.4.191/110 to inside:192.168.8.12/3360 duration 0:21:07 bytes 102833428 TCP FINs
2006-07-02 11:31:24 Local7.Info 192.168.8.13 Jul 02 2006 10:20:14: %ASA-6-302014: Teardown TCP connection 8440516 for outside:64.156.4.191/110 to inside:192.168.8.12/3358 duration 0:21:21 bytes 102784644 TCP FINs
2006-07-02 11:31:42 Local7.Info 192.168.8.13 Jul 02 2006 10:20:32: %ASA-6-302014: Teardown TCP connection 8440737 for outside:64.156.4.191/110 to inside:192.168.8.12/3364 duration 0:21:22 bytes 102817780 TCP FINs
2006-07-02 11:31:48 Local7.Info 192.168.8.13 Jul 02 2006 10:20:38: %ASA-6-302014: Teardown TCP connection 8440651 for outside:64.156.4.191/110 to inside:192.168.8.12/3362 duration 0:21:34 bytes 102836200 TCP FINs
2006-07-02 11:32:22 Local7.Info 192.168.8.13 Jul 02 2006 10:21:12: %ASA-6-302013: Built outbound TCP connection 8456082 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3391 (xxx.xxx.185.142/17696)
2006-07-02 11:32:30 Local7.Info 192.168.8.13 Jul 02 2006 10:21:20: %ASA-6-302013: Built outbound TCP connection 8456176 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3393 (xxx.xxx.185.142/17698)
2006-07-02 11:32:35 Local7.Info 192.168.8.13 Jul 02 2006 10:21:26: %ASA-6-302013: Built outbound TCP connection 8456235 for outside:64.156.4.191/110 (64.156.4.191/110) to inside:192.168.8.12/3395 (xxx.xxx.185.142/17702)
2006-07-02 11:44:37 Local7.Info 192.168.8.13 Jul 02 2006 10:33:28: %ASA-6-302014: Teardown TCP connection 8456235 for outside:64.156.4.191/110 to inside:192.168.8.12/3395 duration 0:12:01 bytes 72339984 TCP FINs
2006-07-02 11:49:12 Local7.Info 192.168.8.13 Jul 02 2006 10:38:02: %ASA-6-302014: Teardown TCP connection 8456082 for outside:64.156.4.191/110 to inside:192.168.8.12/3391 duration 0:16:50 bytes 102820232 TCP FINs
2006-07-02 11:49:15 Local7.Info 192.168.8.13 Jul 02 2006 10:38:05: %ASA-6-302014: Teardown TCP connection 8456176 for outside:64.156.4.191/110 to inside:192.168.8.12/3393 duration 0:16:44 bytes 102862452 TCP FINs