Solved

Strange traffic found - analysis help

Posted on 2006-07-05
3
262 Views
Last Modified: 2010-04-09
Here are some sessions happening on a remote network I am monitoring. The network consists of a router and series of APs in a public access network  = users should be only browsing/emailing/vpn etc. It appears a user is connecting to another user on the local network - perhaps scanning/infecting based on this. Any ideas what would cause these session logs? Does it look like a specific virus or can you tell which user is infected? Could any of this be normal application behavior?

Users : 192.168.2.x/sourceport <-> Router 12.122.25.3/source port from router  -->remote computer/remote port (on internet somtimes a local host)

Here is some 'normal' traffic web sessions for this user:
192.168.2.38/2602 (00:0c:41:be:22:00) <-> 12.122.25.3/26921 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2603 (00:0c:41:be:22:00) <-> 12.122.25.3/26922 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2604 (00:0c:41:be:22:00) <-> 12.122.25.3/26923 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2605 (00:0c:41:be:22:00) <-> 12.122.25.3/26924 ---> 66.22.201.189/80 TCP CLOSED to=1467
 192.168.2.38/2606 (00:0c:41:be:22:00) <-> 12.122.25.3/26925 ---> 66.22.201.189/80 TCP CLOSED to=1466

Here is the suspicious traffic:
192.168.2.90/1360 (00:16:76:5c:10:95) <-> 12.122.25.3/19132 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19133 ---> 192.168.2.90/1360 TCP CLOSED to=115
 192.168.2.90/1361 (00:16:76:5c:10:95) <-> 12.122.25.3/19134 ---> 192.168.2.38/139 TCP CLOSED to=115
192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19135 ---> 192.168.2.90/1361 TCP CLOSED to=115
 192.168.2.90/1362 (00:16:76:5c:10:95) <-> 12.122.25.3/19136 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19137 ---> 192.168.2.90/1362 TCP CLOSED to=115
 192.168.2.86/1520 (00:13:20:c2:ad:84) <-> 12.122.25.3/19138 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19139 ---> 192.168.2.86/1520 TCP CLOSED to=101
 192.168.2.86/1521 (00:13:20:c2:ad:84) <-> 12.122.25.3/28032 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28033 ---> 192.168.2.86/1521 TCP CLOSED to=101
 192.168.2.86/1522 (00:13:20:c2:ad:84) <-> 12.122.25.3/28034 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28035 ---> 192.168.2.86/1522 TCP CLOSED to=101
192.168.2.86/137 (00:13:20:c2:ad:84) <-> 12.122.25.3/6856 ---> 192.168.2.38/137 UDP MAPPED to=101

It appears one of these two users has a virus and is trying to exploit the other? Any ideas? Thanks in advance
0
Comment
Question by:pixel3000
3 Comments
 
LVL 4

Accepted Solution

by:
imreble1 earned 500 total points
ID: 17087502
Hard to say, Chode does run @ these ports, but you are also probably using shares correct? Looks like normal traffic between two hosts .38 and .86 . the 1522 is sql traffic. Chode http://www.glocksoft.com/trojan_list/Chode.htm

~DC
Fishnetsecurity.com
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question