Solved

Strange traffic found - analysis help

Posted on 2006-07-05
3
265 Views
Last Modified: 2010-04-09
Here are some sessions happening on a remote network I am monitoring. The network consists of a router and series of APs in a public access network  = users should be only browsing/emailing/vpn etc. It appears a user is connecting to another user on the local network - perhaps scanning/infecting based on this. Any ideas what would cause these session logs? Does it look like a specific virus or can you tell which user is infected? Could any of this be normal application behavior?

Users : 192.168.2.x/sourceport <-> Router 12.122.25.3/source port from router  -->remote computer/remote port (on internet somtimes a local host)

Here is some 'normal' traffic web sessions for this user:
192.168.2.38/2602 (00:0c:41:be:22:00) <-> 12.122.25.3/26921 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2603 (00:0c:41:be:22:00) <-> 12.122.25.3/26922 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2604 (00:0c:41:be:22:00) <-> 12.122.25.3/26923 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2605 (00:0c:41:be:22:00) <-> 12.122.25.3/26924 ---> 66.22.201.189/80 TCP CLOSED to=1467
 192.168.2.38/2606 (00:0c:41:be:22:00) <-> 12.122.25.3/26925 ---> 66.22.201.189/80 TCP CLOSED to=1466

Here is the suspicious traffic:
192.168.2.90/1360 (00:16:76:5c:10:95) <-> 12.122.25.3/19132 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19133 ---> 192.168.2.90/1360 TCP CLOSED to=115
 192.168.2.90/1361 (00:16:76:5c:10:95) <-> 12.122.25.3/19134 ---> 192.168.2.38/139 TCP CLOSED to=115
192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19135 ---> 192.168.2.90/1361 TCP CLOSED to=115
 192.168.2.90/1362 (00:16:76:5c:10:95) <-> 12.122.25.3/19136 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19137 ---> 192.168.2.90/1362 TCP CLOSED to=115
 192.168.2.86/1520 (00:13:20:c2:ad:84) <-> 12.122.25.3/19138 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19139 ---> 192.168.2.86/1520 TCP CLOSED to=101
 192.168.2.86/1521 (00:13:20:c2:ad:84) <-> 12.122.25.3/28032 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28033 ---> 192.168.2.86/1521 TCP CLOSED to=101
 192.168.2.86/1522 (00:13:20:c2:ad:84) <-> 12.122.25.3/28034 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28035 ---> 192.168.2.86/1522 TCP CLOSED to=101
192.168.2.86/137 (00:13:20:c2:ad:84) <-> 12.122.25.3/6856 ---> 192.168.2.38/137 UDP MAPPED to=101

It appears one of these two users has a virus and is trying to exploit the other? Any ideas? Thanks in advance
0
Comment
Question by:pixel3000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
imreble1 earned 500 total points
ID: 17087502
Hard to say, Chode does run @ these ports, but you are also probably using shares correct? Looks like normal traffic between two hosts .38 and .86 . the 1522 is sql traffic. Chode http://www.glocksoft.com/trojan_list/Chode.htm

~DC
Fishnetsecurity.com
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unblock IP Address in Sonicwall 3 104
Need a command to show the firewall rules for port 3389 8 64
Firewall attack 16 198
How to create one more DMZ subnet? 8 78
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question