I would identify which IP is the source of all the arp requests from
your tcpdump capture file. You can only accurately do this if the
dump was obtained from the same subnet the originating arp requests
came from. Obtain the mac address of the suspicious IP either from your
switch mac-address-table or by pinging the host from a computer on the
same subnet as the suspicious IP. Set up a span/monitor port on the
switch with the suspicious IP and take a tcpdump from that point. If
you are seeing lots of outbound connections to many different IP's but
a single port then it is probably a computer infected with a virus such
as MyDoom or netsky. If you are seeing many outbound probes to random
ports then it could be someone port scanning your network from a
compromised machine.
M$ worms usually target ports 135/445
on other windoze computers.
Harry
Chemin, CISSP
Senior IT Security Analyst
Go Daddy Software
14455 North Hayden Road, Suite 226, Scottsdale, AZ 85260
480-505-8800 ext. 4194
-------- Original Message --------
Subject:
[Snort-sigs] ARP "Who has (one address)" > "Tell
(many
different, random IP's)"
From: "Les Yaw"
<yawles@luther.edu>
Date: Thu, October 28, 2004 6:09 am
To: snort-sigs@lists.sourceforge.net
Cc: "Adam
Forsyth" <forsytad@luther.edu>, "Jeff Williams"
<willje01@luther.edu>
We're a "residential
college" with over 2,700 college students with
their own
computers on our "ResNet." We seem to be under attack from
within. My Senior Sys Admin looked on the firewall's tcpdump
activity
shows massive quantities of ARP traffic, which ask
"Who has (one single
internal IP address)" with a
destination of "Tell (multiple, random
internal IP
addresses)."
We're with the belief this is the
activity of a slew of zombie computers
on our network.
Has anyone ever seen such activity?
Can you tell us what the
name of this trojan/worm/viruii is?
How can we detect this?
Thank you in advance,
Newbie
Les Yaw
Luther College
Decorah, IA
-------------------------------------------------------
This
SF.Net email is sponsored by:
Sybase ASE Linux Express Edition -
download now for FREE
LinuxWorld Reader's Choice Award Winner for
best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-sigs
mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This Newsletter Sponsored by: Macrovision
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
