Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Infected??

From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Tue, 21 Sep 2004 08:23:56 -0400
We have been blocking tcp port 445 (along with others) for a while now.
 I run tcpdump - [tcpdump -i xl1 tcp port 445] - on our firewall
looking for korgo infected machines.  This has worked well, however,
lately, I have been seeing packet headers that don't SEEM to fit the
"korgo model" (below).  Are these machines POTENTIALLY infected or are
these "valid" packets because of the way the network adapter is set up
on a WinXP machine?  Ideas? Comments?

07:57:42.821294 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1601214005 0> (DF)
07:57:45.746686 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1601214010 0> (DF)
07:57:48.747147 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1601214016 0> (DF)
07:57:51.747693 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460> (DF)
07:57:54.748095 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460> (DF)
07:57:57.748612 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460> (DF)
07:58:03.749232 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460> (DF)
07:58:15.750751 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460> (DF)
07:58:39.753207 williams-222-137.williams.edu.52515 > 192.168.0.1.445:
S 4201417517:4201417517(0) win 65535 <mss 1460> (DF)
08:00:19.030358 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss
1460,nop,wscale 0,nop,nop,timestamp 1601214317 0> (DF)
08:00:21.762352 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss
1460,nop,wscale 0,nop,nop,timestamp 1601214322 0> (DF)
08:00:24.762510 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss
1460,nop,wscale 0,nop,nop,timestamp 1601214328 0> (DF)
08:00:27.762753 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss 1460> (DF)
08:00:30.763368 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss 1460> (DF)
08:00:33.763334 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss 1460> (DF)
08:00:39.763817 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss 1460> (DF)
08:00:51.764759 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss 1460> (DF)
08:01:15.766557 williams-222-137.williams.edu.52517 >
192.168.1.102.445: S 3942653968:3942653968(0) win 65535 <mss 1460> (DF)
08:02:55.263679 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss
1460,nop,wscale 0,nop,nop,timestamp 1601214629 0> (DF)
08:02:57.775339 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss
1460,nop,wscale 0,nop,nop,timestamp 1601214634 0> (DF)
08:03:00.775641 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss
1460,nop,wscale 0,nop,nop,timestamp 1601214640 0> (DF)
08:03:03.775915 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss 1460> (DF)
08:03:06.776177 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss 1460> (DF)
08:03:09.776793 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss 1460> (DF)
08:03:15.777638 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss 1460> (DF)
08:03:27.778574 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss 1460> (DF)
08:03:51.780642 williams-222-137.williams.edu.52519 >
169.254.62.27.445: S 3260523370:3260523370(0) win 65535 <mss 1460> (DF)



PeteC

Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (desk)
(413) 822-2922 (cell)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: