Outbound traffic on unknown ports to private IP addresses

Hi,

I am noticing some strange activity on my firewall. There is outbound UDP traffic from two servers (both running Win2K Server & 1 running SQL 2000 & the other Exchange 2000). It is outbound from these servers to private addresses that so not exist on my internal network. The destination IP's are 192.168.32.1 and 192.168.100.1 The ports being used are mainly 1055, 1057 & 1058 but I have noticed 1518, 1520 & 1521 as well. Has anyone seen this before? I've checked virus/event and IIS logs and don't see anything unusual and everything is operating normally. Any suggestions as to what might be causing this would be appreciated.

Thanks,
Dawn
Dawn_BlAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DexstarCommented:
Dawn_Bl:

> Any suggestions as to what might be causing this would be appreciated.

I would install "Network Monitor" that comes with W2K server on either or both of those machines and sniff the network traffic to see what the contents of these packets.

Here is information on how to set it up and use it:
http://support.microsoft.com/?kbid=243270

Hope That Helps,
Dex*
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robing66066Commented:
Sometimes this sort of thing can happen if you have an overlap in DNS between your windows network and your ISP's network.  I had a heck of a time when I named one of my computers WIN98.  Turns out my ISP had one named the same thing, *and* they had put an entry in on their DNS server.  If my computer was turned on, things were fine, but if it wasn't (thus the broadcast for it would fail), my machine would find the DNS entry for WIN98 on my ISP's internal network and try to talk to it!  

Although I admit there are fairly short odds on it being the same thing, the symptoms would have been similar.  Since the ports you are report are above 1023, they may be the transitory ports used when first establishing a connection.  If you do have a similar situation, it could be that those devices used to talk to someone who used the same name as the device at those ip addresses.

A way longshot, but you did ask if we'd seen something similar...  :)

Either way, I'd still hook up the network monitor and take a look.  Also, try a netstat on the source boxes.  That should turn up some more information.

Good luck!
0
riannuzziCommented:
Do you have citrix or vpn clients? This can be the address they are using? It can also be spoofing... also the welchia virus creates tons of tcp exhaustion ... although you should run the welchia patch to make sure it is not on your syste,...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

chicagoanCommented:
While there's some activity on these ports in the wild, there's not much and don't correspond to any known vulnerabilities.

http://www.dshield.org/port_report.php?port=1055&recax=1&tarax=2&srcax=2&percent=N&days=40
http://www.dshield.org/port_report.php?port=1057&recax=1&tarax=2&srcax=2&percent=N&days=40
http://www.dshield.org/port_report.php?port=1058&recax=1&tarax=2&srcax=2&percent=N&days=40

You don't say what the source ports are... might be backscatter?
I'd get a sniff on those switchports to see what they're up to.



0
ShineOnCommented:
One thing to be very conscious of is that many of today's worms and virii will as first order of business disable local virus scans, so they don't get on any logs.

If you haven't kept absolutely current with your service packs and security hotfixes, and disabled all unnecessary services, you may have a worm or backdoor trojan that your antivirus isn't scanning and therefore not logging.  

If I were in your shoes, I would first run a web-based virus scan, like the one at http://housecall.trendmicro.com/ and follow that with a spyware/adware scan that also picks up trojans that virus scans bypass, like SpySweeper from www.webroot.com, if for no other reason than to ease my mind.  Also go visit www.blackviper.com to help you determine what services you can and should disable - not only will you be more secure, you will likely see an improvement in performance and stability.

If all of that comes up clean, and you have a reasonable comfort level of the security of your systems, but this traffic continues - I would then look at whether or not someone in your network is doing something along the lines of running a peer-to-peer file sharing program.  The reason I mention that is that you made note of 2 sets of 3 UDP ports.  Many file sharing programs not only use multiple UDP ports but also allow you to modify the UDP listeners to bypass things like packet filters.
0
Dawn_BlAuthor Commented:
Thanks for all of the suggestions. I will try running a sniffer to get more details and report back.
0
ShineOnCommented:
A good free one can be found at www.ethereal.com
0
Dawn_BlAuthor Commented:
Thank you for all of your help. I installed Network Monitor (and fought with it for awhile) and realized the traffic is coming from a laptop that is not part of our domain but is used for some remote administration purposes. It had some additional IP addresses on it from a few VMWare instances. I was only seeing the outbound because there was no route to the addresses not on our network. The remote admin app was trying to respond on all IPs.

Thanks again... Dawn
0
qzzwrsCommented:
One thing I did at my work is to put an ACL on our internet Router and blocked all outbound Private address ranges. Theoretically they shouldn't be routed anyway, but since we syslog, our syslog will be notified if it happens.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.