nanog mailing list archives

Strange 192.168. UDP/138 Traffic

From: "Darrell Kristof" <darrell.kristof () wholefoods com>
Date: Thu, 29 Jan 2004 12:24:15 -0600


Hi everyone:

I'm having some strange traffic show up on my PIX.  Looking at the "show
conn" I have many many machines attempting to make outbound UDP/138
connections to 192.168.x.x addresses.  We don't have any 192.168.x.x
addresses inside the company.  This is blocked at our Internet router, so
it's not going out, but still would like to know what this is.

[Snip from "show conn | inc 192.168" on PIX]
(Internal IP addresses changed to protect the innocent - or not so innocent)
UDP     out     192.168.19.100:138      in      1.2.5.108:138
UDP     out     192.168.19.100:138      in      1.2.8.126:138
UDP     out     192.168.19.100:138      in      3.4.0.151:138
UDP     out     192.168.19.100:138      in      3.6.18.169:138
UDP     out     192.168.19.100:138      in      3.6.18.75:138
UDP     out     192.168.19.100:138      in      3.6.2.156:138
UDP     out     192.168.19.100:138      in      3.6.26.99:138
UDP     out     192.168.19.100:138      in      3.6.26.99:138
UDP     out     192.168.19.100:138      in      3.6.28.95:138
UDP     out     192.168.19.100:138      in      3.6.28.95:138
UDP     out     192.168.19.100:138      in      3.6.32.166:138
UDP     out     192.168.19.100:138      in      3.6.32.166:138
UDP     out     192.168.19.100:138      in      3.6.36.81:138
UDP     out     192.168.19.100:138      in      3.6.36.90:138
UDP     out     192.168.19.100:138      in      3.6.4.66:138
UDP     out     192.168.19.100:138      in      3.6.46.150:138
UDP     out     192.168.19.100:138      in      3.6.46.150:138
UDP     out     192.168.19.100:138      in      3.6.46.150:138
UDP     out     192.168.19.100:138      in      3.6.46.82:138
UDP     out     192.168.19.100:138      in      3.6.46.82:138
UDP     out     192.168.19.100:138      in      3.6.50.72:138
UDP     out     192.168.19.100:138      in      3.6.50.72:138

(and just keeps going and going and going...)

These machines are all over the country, here are the unique 192.168.
addresses they are all trying to connect to.  

192.168.19.100
192.168.2.15
192.168.2.230
192.168.28.21
192.168.34.99
192.168.34.99
192.168.64.67
192.168.77.223
192.168.80.7

If anyone knows anything about this, I would appreciate some feedback.  Feel
free to reply off-line and I'll reply to the list with the responses.  A
Norton AV scan shows nothing.

Thanks,

- Darrell

======================================================================
Darrell Kristof, CISSP, CCNP, TICSA
Network Manager/Team Leader
Whole Foods Market, Corporate Offices
E-Mail: darrell.kristof () wholefoods com

Current thread:

Re: MS is vulnerable Michael . Dillon (Jan 29)
- RE: MS is vulnerable Christopher J. Wolff (Jan 29)
  - RE: MS is vulnerable Matthew Kaufman (Jan 29)
- <Possible follow-ups>
- RE: MS is vulnerable Michel Py (Jan 29)
  - Re: MS is vulnerable Jonathan Nichols (Jan 29)
    - RE: MS is vulnerable Vivien M. (Jan 29)
    - Strange 192.168. UDP/138 Traffic Darrell Kristof (Jan 29)
    - Re: Strange 192.168. UDP/138 Traffic Richard Welty (Jan 29)
  - Re: MS is vulnerable Jason Lixfeld (Jan 29)
- RE: MS is vulnerable Michel Py (Jan 29)
- RE: MS is vulnerable Gregory Hicks (Jan 29)
- RE: MS is vulnerable Michel Py (Jan 29)
  - Re: MS is vulnerable Jonathan Nichols (Jan 29)
  - Re: MS is vulnerable Robert Blayzor (Jan 29)
- RE: MS is vulnerable Susan Harris (Jan 29)