Network Security: Detailed info on RE: unusual 1.11.0.0/16 outbound traffic

Subject:	RE: unusual 1.11.0.0/16 outbound traffic
Date:	Thu, 16 Sep 2004 09:20:00 -0700

The signature of dest=TCP:445 sounds a lot like Sasser (or clone)
infections on those internal hosts.
Time to scan those boxes, fer shur!

Jim Harrison 
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"The last 10 years of Internet usage has disproven 
the theory that a million monkeys typing on a million
typewriters would eventually produce the complete
works of Shakespeare.  ..or maybe it only works for
typewriters..."
(unclaimed)

-----Original Message-----
From: Federico Grau [mailto:donfede@casagrau.org] 
Sent: Tuesday, September 14, 2004 2:23 PM
To: incidents@securityfocus.com
Subject: unusual 1.11.0.0/16 outbound traffic


Hello Incidents folk,

We have been seeing an increasing amount of unusual network activity
trying to
get out of our internal LAN.  What is most odd about this traffic is
that the
traffic is directed to the 1.11.0.0./16 subnet (an IANA Reserved subnet,
which
I believe is to be used for VPNs).  

The activity began 2004-08-10 with 4 machines trying to send packets out
at
different times.  Slowly the number of machines trying to send out this
network traffic has grown to 18 last week.

We have not seen trends of times when the activity occurs, it ranges
throughout all times of the day and night, regardless of whether the
user is
at his machine.

We have not seen trends of machines attempting to send out the network
traffic, other than the number appears to be growing.

We have virus scanners on desktop machines (mcafee) and on our
mailserver
(Mailscanner w/ sophos and mccaffe).  Anti-virus software does not
detect
anything and we could not find any other unusual software running on the
client PCs.

Client machines include several Microsoft operating systems; Windows 98,
Windows
2000, Windows XP.

We have captured outbound traffic using tcpdump, and looked at it with
ethereal.  No packets with "data" appear to be making it out.  The
packets we
have been seeing include; SMB "Tree Disconnect Request", SMB "Echo
Request",
NBNS "Name query NBSTAT" and some other "failed SMB" packets.



At this point we are not sure if this is benign or malicious.

Have others seen this type of unusual network traffic?

The 1.11.0.0/16 network seems unreachable (no ping responses), how can
this
traffic be getting out (or where is it trying to go)?

Any suggestions at other things to check?


Sample firewall logs:
Aug 10 05:15:48 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=40 S=0x00 I=42620 F=0x4000 T=128 (#13)

Aug 10 05:15:49 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42665 F=0x4000 T=128 (#13)

Aug 10 05:15:50 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42673 F=0x4000 T=128 (#13)

Aug 10 05:15:51 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42694 F=0x4000 T=128 (#13)

Aug 10 05:15:52 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42733 F=0x4000 T=128 (#13)

Aug 10 05:15:55 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42783 F=0x4000 T=128 (#13)

Aug 10 05:16:02 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.56:4425 1.11.68.22:445 L=79 S=0x00 I=42791 F=0x4000 T=128 (#13)

Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11794 F=0x4000 T=128 (#13)

Aug 10 05:54:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.3.78:1160 1.11.31.99:445 L=79 S=0x00 I=11795 F=0x4000 T=128 (#13)

...
Sep  8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23459 F=0x4000 T=128
(#13)  
Sep  8 18:03:14 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=192 S=0x00 I=23460 F=0x4000 T=128
(#13)  
Sep  8 18:04:26 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23600 F=0x4000 T=128
(#13)  
Sep  8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23601 F=0x4000 T=128
(#13)  
Sep  8 18:04:27 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23602 F=0x4000 T=128
(#13)  
Sep  8 18:04:29 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23748 F=0x4000 T=128
(#13)  
Sep  8 18:04:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23906 F=0x4000 T=128
(#13)  
Sep  8 18:04:39 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=24135 F=0x4000 T=128
(#13)  
Sep  8 18:04:41 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6
172.30.2.201:4801 1.11.69.61:445 L=93 S=0x00 I=24136 F=0x4000 T=128
(#13)

<Prev in Thread]	Current Thread	[Next in Thread>
unusual 1.11.0.0/16 outbound traffic, Federico Grau RE: unusual 1.11.0.0/16 outbound traffic, Michael Zanetta Re: unusual 1.11.0.0/16 outbound traffic, Andrew Heath RE: unusual 1.11.0.0/16 outbound traffic, Jim Harrison (ISA) <= Re: unusual 1.11.0.0/16 outbound traffic, James C. Slora Jr.

Previous by Date:	RE: suspicous activities..., Luke Marty
Next by Date:	RE: suspicous activities..., hilton de meillon
Previous by Thread:	Re: unusual 1.11.0.0/16 outbound traffic, Andrew Heath
Next by Thread:	Re: unusual 1.11.0.0/16 outbound traffic, James C. Slora Jr.
Indexes:	[Date] [Thread] [Top] [All Lists]