interesting traffic

Hi,

I have noticed some interesting traffic coming from one of my pc's and then to one of my pc's.
First a little background.
I have a befsr41 router with snmp :-) So I can log traffic going into my little network using wallwatcher and opmanager.

I have one XP machine I leave on a lot. I notice that it is sending UDP outbound from L-port 137 to R-port 137. Then in a relatively short amount of time I see an inbound request from a different IP to ports 1026 ,1027, and 1028 from a different IP that the 137 was sent from. I have norton's running, and ad aware and spybot don't show anything.
The addresses seem to come from anywhere China, hong kong, even the US and Canada.


Any Ideas of what this is:







Log Snips:
-------------

alert_audit435.txt:20:54:06:542 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 20:54:06 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 221.6.163.50:137
alert_audit435.txt- alert_audit435.txt-20:54:45:033 ALERTAUDIT: System Clear: Tue Dec 26 20:54:44 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 202.97.238.132:32957 to WANIP:1026
alert_audit435.txt- alert_audit435.txt-20:55:43:724 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1027
alert_audit435.txt- alert_audit435.txt-20:55:43:836 ALERTAUDIT: System Clear: Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1028
alert_audit435.txt- Log Snips:
-------------


alert_audit435.txt:22:01:00:913 ALERTAUDIT: System Clear: Tue Dec 26 22:01:00 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.19.74:137
alert_audit435.txt- alert_audit435.txt-22:01:42:516 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:01:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.191.3.147:25931 to WANIP:1026
alert_audit435.txt- alert_audit435.txt-22:02:43:193 ALERTAUDIT: System Clear: Tue Dec 26 22:02:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1027
alert_audit435.txt- alert_audit435.txt-22:02:43:213 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:02:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1028
alert_audit435.txt- Log Snips:
-------------

alert_audit436.txt:22:36:32:840 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:36:32 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 204.16.209.30:137
alert_audit436.txt- alert_audit436.txt-22:38:33:569 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1026
alert_audit436.txt- alert_audit436.txt-22:38:33:686 ALERTAUDIT: System Clear: Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
alert_audit436.txt- alert_audit436.txt-22:38:33:694 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
alert_audit436.txt- alert_audit436.txt-22:38:33:697 ALERTAUDIT: System Clear: Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1028
alert_audit436.txt-


Log Snips:
-------------

alert_audit436.txt:22:45:48:878 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:45:48 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.5.208:137
alert_audit436.txt- alert_audit436.txt-22:51:51:654 ALERTAUDIT: System Clear: Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
alert_audit436.txt- alert_audit436.txt-22:51:51:661 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
alert_audit436.txt- alert_audit436.txt-22:51:51:769 ALERTAUDIT: System Clear: Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1027
alert_audit436.txt-

tiffini skrev:
> Hi,
>
> I have noticed some interesting traffic coming from one of my pc's and
> then to one of my pc's.
> First a little background.
> I have a befsr41 router with snmp :-) So I can log traffic going into
> my little network using wallwatcher and opmanager.
>
> I have one XP machine I leave on a lot. I notice that it is sending UDP
> outbound from L-port 137 to R-port 137. Then in a relatively short
> amount of time I see an inbound request from a different IP to ports
> 1026 ,1027, and 1028 from a different IP that the 137 was sent from. I
> have norton's running, and ad aware and spybot don't show anything.
> The addresses seem to come from anywhere China, hong kong, even the US
> and Canada.
>
>
> Any Ideas of what this is:
>
Ports 137,138,139 and 445 is file sharing protocols mainly for Windoze
machine's or system running SMB.
If you can close this ports in you're router, do that.

Ports 1024, 1025, 1027, 1028, 1029 and 1030 is normally used by spam
coming from almost anywhere.
Closing this ones is a god idea to do, so you don't get nice little
pop-ups asking you stupid questions.

--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'

I'll lock down the ports you recommend 1024-1030, and 137.

How do I find the app that is sending it out? I have an XP sp2 machine that is sending it.

As I said, I have norton's running and ad aware and spybot. all came up clean.

One other thing to note. When I log into the machine. It takes a while for the task bar to become clickable. Longer than the other machines, if that helps at all.

Tif




> Ports 1024, 1025, 1027, 1028, 1029 and 1030 is normally used by spam
> coming from almost anywhere.
> Closing this ones is a god idea to do, so you don't get nice little
> pop-ups asking you stupid questions.
>

I'll lock down the ports you recommend 1024-1030, and 137.

How do I find the app that is sending it out? I have an XP sp2 machine that is sending it.

As I said, I have norton's running and ad aware and spybot. all came up clean.

One other thing to note. When I log into the machine. It takes a while for the task bar to become clickable. Longer than the other machines, if that helps at all.

Tif

tiffini skrev:
>
> I'll lock down the ports you recommend 1024-1030, and 137.
>
> How do I find the app that is sending it out? I have an XP sp2 machine
> that is sending it.
>
> As I said, I have norton's running and ad aware and spybot. all came up
> clean.
> One other thing to note. When I log into the machine. It takes a while
> for the task bar to become clickable. Longer than the other machines,
> if that helps at all.
>
> Tif

Maybe you have some preconfig rule in you're router that can block UPnP.

Then it comes to find any apps/malware it can be a little more trickier,
(how well do you now you're system..?) rather then relay on some
programs like Spyboot and AdWare (I don't say that it is a bad thing
using this programs, but they don't find everything).
There was a wile ago sens I was using Windows now but if I was you I
should have a look at the processes that starts up with the system using
HijackThis, too see if I could find anything unusual there.

Link:
http://www.download.com/HijackThis/3...html?tag=topic

--
/Anders
-It is a terrible way to kill you self, this crucifying.
-It's no way you be able to hammer in the last nail!
The manic-depressive character 'Neil' from 'the Young one's'

From: "tiffini" <tiffini@val13xr8.org>

| Hi,

| I have noticed some interesting traffic coming from one of my pc's and then to one of
| my pc's.
| First a little background.
| I have a befsr41 router with snmp :-) So I can log traffic going into my little
| network using wallwatcher and opmanager.

| I have one XP machine I leave on a lot. I notice that it is sending UDP outbound from
| L-port 137 to R-port 137. Then in a relatively short amount of time I see an inbound
| request from a different IP to ports 1026 ,1027, and 1028 from a different IP that the
| 137 was sent from. I have norton's running, and ad aware and spybot don't show
| anything.
| The addresses seem to come from anywhere China, hong kong, even the US and Canada.


| Any Ideas of what this is:


As always, I suggest specifically blocking Both UDP and TCP ports 135 ~ 139 and 445 on *any*
SOHO Router.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "tiffini" <tiffini@val13xr8.org>


| I'll lock down the ports you recommend 1024-1030, and 137.

| How do I find the app that is sending it out? I have an XP sp2 machine that is sending
| it.

| As I said, I have norton's running and ad aware and spybot. all came up clean.

| One other thing to note. When I log into the machine. It takes a while for the task
| bar to become clickable. Longer than the other machines, if that helps at all.

| Tif


NO !

Do NOT block 1024-1030.

As stated before, on the Router, Block TCP and UDP ports 135 ~ 139 and 445.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Fri, 29 Dec 2006 13:40:22 -0600, tiffini wrote:

> I'll lock down the ports you recommend 1024-1030, and 137.

You should really lock down everything outbound that you don't need.

> How do I find the app that is sending it out? I have an XP sp2 machine
> that is sending it.

XP it the App that is doing this. This is how windows talks with other
window machines on the network.

> As I said, I have norton's running and ad aware and spybot. all came up
> clean.

As they will. This is not an adware thing but a windows thing.

> One other thing to note. When I log into the machine. It takes a while
> for the task bar to become clickable. Longer than the other machines,
> if that helps at all.

This could be caused by many things. Mainly what is loaded when you log
in and what it's trying to do while you are logging in.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

On Fri, 29 Dec 2006, in the Usenet newsgroup alt.computer.security, in article
<g3flh.32$0F1.10@trnddc02>, David H. Lipman wrote:

>From: "tiffini" <tiffini@val13xr8.org>

[Did the O/P notice the responses to his earlier posting of this question
in the newsgroup comp.os.linux.networking?]

>| I'll lock down the ports you recommend 1024-1030, and 137.

>NO !
>
>Do NOT block 1024-1030.

Depending on the capabilities of your firewall (recognizing incoming
packets in those ranges as being replies to something your systems sent
out - verses unsolicited packets inbound) blocking those ports is quite
reasonable. On my home firewall, I've been dropping incoming unrelated
UDP to those ports for several years now. It's just ordinary messenger
spam such as:

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found 55 Critical System Errors.

To fix the errors please do the following:

1. Download Registry Update from: www.some.spammers.website
2. Install Registry Update
3. Run Registry Update
4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!

That one was captured on the firewall a couple of weeks ago when I was
running a packet sniffer. Source address was bogus. Oh, and I know it's
not real because I don't have any microsoft boxes, and the the spammers
web site isn't microsoft.com - not that they give a hoot if your systems
are 0wn3d.

At work, we port shift any outgoing packets out of the 1025-1050 range
(nearly all are DNS queries outbound) and drop any inbound to that range
as they can't be valid replies to anything we've sent out. Last I bothered
to measure, it was averaging a half Megabyte per day per IP address, so
for a /16 network, that saves about a Gigabyte of bandwidth every _month_

Using a packet sniffer to capture this crap, it's usually pretty obvious
based on IP and UDP headers that the source is fake, and this most often
seems to be coming from zombie windoze boxes on your ISPs local range.
You _could_ bitch to your ISP about it, but the O/P is posting from
Comcast which probably isn't going to know how to spell 'IP' much less
know about port numbers and protocols.

Old guy

From: "Moe Trin" <ibuprofin@painkiller.example.tld>


|
| Depending on the capabilities of your firewall (recognizing incoming
| packets in those ranges as being replies to something your systems sent
| out - verses unsolicited packets inbound) blocking those ports is quite
| reasonable. On my home firewall, I've been dropping incoming unrelated
| UDP to those ports for several years now. It's just ordinary messenger
| spam such as:
|
| STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
|
| Windows has found 55 Critical System Errors.
|
| To fix the errors please do the following:
|
| 1. Download Registry Update from: www.some.spammers.website
| 2. Install Registry Update
| 3. Run Registry Update
| 4. Reboot your computer
|
| FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!
|
| That one was captured on the firewall a couple of weeks ago when I was
| running a packet sniffer. Source address was bogus. Oh, and I know it's
| not real because I don't have any microsoft boxes, and the the spammers
| web site isn't microsoft.com - not that they give a hoot if your systems
| are 0wn3d.
|
| At work, we port shift any outgoing packets out of the 1025-1050 range
| (nearly all are DNS queries outbound) and drop any inbound to that range
| as they can't be valid replies to anything we've sent out. Last I bothered
| to measure, it was averaging a half Megabyte per day per IP address, so
| for a /16 network, that saves about a Gigabyte of bandwidth every _month_
|
| Using a packet sniffer to capture this crap, it's usually pretty obvious
| based on IP and UDP headers that the source is fake, and this most often
| seems to be coming from zombie windoze boxes on your ISPs local range.
| You _could_ bitch to your ISP about it, but the O/P is posting from
| Comcast which probably isn't going to know how to spell 'IP' much less
| know about port numbers and protocols.
|
| Old guy

Thanx Moe Trin and Happy New Year.

Hopefully this "Old guy" will grace us with his presence more often in 2007. :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm