Security Incidents mailing list archives

Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp)

From: loki74 <loki74 () gmail com>
Date: Thu, 24 Aug 2006 11:59:17 -0400

Static IP.
Nothing in LMHosts.
There is no IP of 100.100.100.1, I added a host of 100.100.100.2, and nmap'd.
It is odd...

On 8/24/06, Joel Esler <joel.esler () sourcefire com> wrote:

Do you have an IP on your network of 100.100.100.1?

Joel


On Thu, Aug 24, 2006 at 10:42:28AM -0400, loki74 apparently sent me:
> Hello,
> I have posted before about a windows box that sent traffic to
> different ip's to port 137, and never really got a solution to it. We
> have sinced wiped that box. Now we have a new box, built in a DMZ
> (Freshh install, all patches applied) and just connected it to the
> internal lan (behind fw).  The box now sends UDP port 137 to
> 100.100.100.1.  The permiter firewall blocks this, and that is where
> it was noticed. I have started logging on my firewall to find out who
> it was, and it is an internal box.
>
> Cisco ACL:
>
> Aug 24 12:28:42: %SEC-6-IPACCESSLOGP: list internal_out denied udp
> x.x.x.x(49375) -> 100.100.100.1(137), 5 packets
>
> Firewall Log:
>
> eth4c0:i[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167
> UDP: 137 -> 137
> eth4c0:I[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167
> UDP: 137 -> 137
> eth1c0:o[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167
> UDP: 137 -> 137
> eth1c0:O[78]: 68.163.87.34 -> 100.100.100.1 (UDP) len=78 id=13167
> UDP: 49902 -> 137
>
> I am now capturing the traffic again, though there is nothing in it.
> Anyone ever seen this?
>
> T
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal
> tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security
> environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500
> delegates from 40+ nations.
> http://www.blackhat.com
> ------------------------------------------------------------------------------
>
+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.World renowned security experts reveal tomorrow's threats today. Free ofvendor pitches, the Briefings are designed to be pragmatic regardless of yoursecurity environment. Featuring 36 hands-on training courses and 10 conferencetracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------

Current thread:

Odd traffic again...... internal --> 100.100.100.1 (137-udp) loki74 (Aug 24)
- Message not available
  - Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) loki74 (Aug 24)
- Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) Tillmann Werner (Aug 24)
- <Possible follow-ups>
- Re: Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) i . m . crazy . frog (Aug 26)
  - Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) Kevin Johnson (Aug 26)