Security Incidents mailing list archives
Re: Strange Activity -- Help
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Wed, 21 Feb 2001 16:05:12 -0800
"Nanney, Jim" wrote:
I have been recieving strange traffic on my local home network since the day I set up my firewall (log to follow). I have been recording it and have also sent a copy to my ISP's abuse department. I use a cable modem service so I do not believe the attack is aimed at my box, but it has some strange things in it and I was looking for verification of what it is. Here is the logs: Feb 21 09:54:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5) Feb 21 09:57:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5) Feb 21 10:00:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5) Feb 21 10:03:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5) Feb 21 10:06:32 nanlinux kernel: Packet log: input REJECT eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#5) From what I can make out, it is a scan for a trojan using a spoofed ip (192.168.100.1) going over a multicast address (224.0.0.1). The port being 65535 made me wonder, so here is what I found on that port:
Note, "PROTO=2," which is IGMP. These are not TCP packets. IGMP does not have port numbers; the numbers shown are meaningless. 224.0.0.1 is the "all-hosts" group. See RFC1112.
RC1 Trojan uses this port. I found this at this site: http://www.simovit.com/trojans/tr_data/y805.html
^^ You misspelled 'simovits,' but again, this isn't TCP, the reference is irrelevant.
Can anyone correct my mistake if I am wrong or tell me what else may be causing these packets every 3 minutes?
Some machine somewhere is trying to find its place in the multicast world. I am suprised you don't see a lot more of this coming from other addresses too if you live on a broadcast domain.
Also would it be worth sniffing and capturing the packet to look for other clues?
Go nuts. But this is almost certainly not hostile traffic. However, if these are valid IGMP, I really wonder where those port numbers are coming from if IPChains is making them up the way I would expect. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- Strange Activity -- Help Nanney, Jim (Feb 21)
- Re: Strange Activity -- Help Crist Clark (Feb 21)
- Re: Strange Activity -- Help Daniel Martin (Feb 21)
- Re: Strange Activity -- Help Antonio Carlos Pina (Feb 22)