Re: Strange Activity -- Help

[Crist Clark <crist.clark () GLOBALSTAR COM>]

"Nanney, Jim" wrote:
> I have been recieving strange traffic on my local home network since the day
> I set up my firewall (log to follow).
>
> I have been recording it and have also sent a copy to my ISP's abuse
> department.
>
> I use a cable modem service so I do not believe the attack is aimed at my
> box, but it has some strange things in it and I was looking for verification
> of what it is.
>
> Here is the logs:
>
> Feb 21 09:54:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
> Feb 21 09:57:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
> Feb 21 10:00:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
> Feb 21 10:03:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
> Feb 21 10:06:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2
> 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5)
>
> From what I can make out, it is a scan for a trojan  using a spoofed ip
> (192.168.100.1) going over a multicast address (224.0.0.1).  The port being
> 65535 made me wonder, so here is what I found on that port:

Note, "PROTO=2," which is IGMP. These are not TCP packets. IGMP does not
have port numbers; the numbers shown are meaningless. 224.0.0.1 is
the "all-hosts" group. See RFC1112.

> RC1 Trojan uses this port.  I found this at this site:
> http://www.simovit.com/trojans/tr_data/y805.html
                   ^^
You misspelled 'simovits,' but again, this isn't TCP, the reference is
irrelevant.

> Can anyone correct my mistake if I am wrong or tell me what else may be
> causing these packets every 3 minutes?

Some machine somewhere is trying to find its place in the multicast
world. I am suprised you don't see a lot more of this coming from
other addresses too if you live on a broadcast domain.

> Also would it be worth sniffing and
> capturing the packet to look for other clues?

Go nuts. But this is almost certainly not hostile traffic. However,
if these are valid IGMP, I really wonder where those port numbers
are coming from if IPChains is making them up the way I would expect.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com