Security Incidents mailing list archives
Re: unusual 1.11.0.0/16 outbound traffic
From: Andrew Heath <ah228 () cornell edu>
Date: Mon, 20 Sep 2004 11:28:46 -0400
I saw similar traffic to this when a consultant typo'ed the AD domain name in a remote office re-install. The clients began trying to authenticate and connect against a server on the other side of the world and logged up a lot of bogus outgoing 445's.
At 05:23 PM 9/14/2004, Federico Grau wrote:
Hello Incidents folk, We have been seeing an increasing amount of unusual network activity trying to get out of our internal LAN. What is most odd about this traffic is that the traffic is directed to the 1.11.0.0./16 subnet (an IANA Reserved subnet, which I believe is to be used for VPNs). The activity began 2004-08-10 with 4 machines trying to send packets out at different times. Slowly the number of machines trying to send out this network traffic has grown to 18 last week. <snip>Sep 8 18:04:32 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=23906 F=0x4000 T=128 (#13) Sep 8 18:04:39 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=79 S=0x00 I=24135 F=0x4000 T=128 (#13) Sep 8 18:04:41 peter-172 kernel: Packet log: input REJECT eth0 PROTO=6 172.30.2.201:4801 1.11.69.61:445 L=93 S=0x00 I=24136 F=0x4000 T=128 (#13)
Andrew Heath Systems Administrator Cornell Cooperative Extension
Current thread:
- unusual 1.11.0.0/16 outbound traffic Federico Grau (Sep 15)
- RE: unusual 1.11.0.0/16 outbound traffic Michael Zanetta (Sep 15)
- Re: unusual 1.11.0.0/16 outbound traffic Andrew Heath (Sep 22)
- <Possible follow-ups>
- RE: unusual 1.11.0.0/16 outbound traffic Jim Harrison (ISA) (Sep 16)
- Re: unusual 1.11.0.0/16 outbound traffic James C. Slora Jr. (Sep 17)