Solved

Strange traffic found - analysis help

Posted on 2006-07-05
3
269 Views
Last Modified: 2010-04-09
Here are some sessions happening on a remote network I am monitoring. The network consists of a router and series of APs in a public access network  = users should be only browsing/emailing/vpn etc. It appears a user is connecting to another user on the local network - perhaps scanning/infecting based on this. Any ideas what would cause these session logs? Does it look like a specific virus or can you tell which user is infected? Could any of this be normal application behavior?

Users : 192.168.2.x/sourceport <-> Router 12.122.25.3/source port from router  -->remote computer/remote port (on internet somtimes a local host)

Here is some 'normal' traffic web sessions for this user:
192.168.2.38/2602 (00:0c:41:be:22:00) <-> 12.122.25.3/26921 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2603 (00:0c:41:be:22:00) <-> 12.122.25.3/26922 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2604 (00:0c:41:be:22:00) <-> 12.122.25.3/26923 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2605 (00:0c:41:be:22:00) <-> 12.122.25.3/26924 ---> 66.22.201.189/80 TCP CLOSED to=1467
 192.168.2.38/2606 (00:0c:41:be:22:00) <-> 12.122.25.3/26925 ---> 66.22.201.189/80 TCP CLOSED to=1466

Here is the suspicious traffic:
192.168.2.90/1360 (00:16:76:5c:10:95) <-> 12.122.25.3/19132 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19133 ---> 192.168.2.90/1360 TCP CLOSED to=115
 192.168.2.90/1361 (00:16:76:5c:10:95) <-> 12.122.25.3/19134 ---> 192.168.2.38/139 TCP CLOSED to=115
192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19135 ---> 192.168.2.90/1361 TCP CLOSED to=115
 192.168.2.90/1362 (00:16:76:5c:10:95) <-> 12.122.25.3/19136 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19137 ---> 192.168.2.90/1362 TCP CLOSED to=115
 192.168.2.86/1520 (00:13:20:c2:ad:84) <-> 12.122.25.3/19138 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19139 ---> 192.168.2.86/1520 TCP CLOSED to=101
 192.168.2.86/1521 (00:13:20:c2:ad:84) <-> 12.122.25.3/28032 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28033 ---> 192.168.2.86/1521 TCP CLOSED to=101
 192.168.2.86/1522 (00:13:20:c2:ad:84) <-> 12.122.25.3/28034 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28035 ---> 192.168.2.86/1522 TCP CLOSED to=101
192.168.2.86/137 (00:13:20:c2:ad:84) <-> 12.122.25.3/6856 ---> 192.168.2.38/137 UDP MAPPED to=101

It appears one of these two users has a virus and is trying to exploit the other? Any ideas? Thanks in advance
0
Comment
Question by:pixel3000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
imreble1 earned 500 total points
ID: 17087502
Hard to say, Chode does run @ these ports, but you are also probably using shares correct? Looks like normal traffic between two hosts .38 and .86 . the 1522 is sql traffic. Chode http://www.glocksoft.com/trojan_list/Chode.htm

~DC
Fishnetsecurity.com
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question