Solved

Strange traffic found - analysis help

Posted on 2006-07-05
3
255 Views
Last Modified: 2010-04-09
Here are some sessions happening on a remote network I am monitoring. The network consists of a router and series of APs in a public access network  = users should be only browsing/emailing/vpn etc. It appears a user is connecting to another user on the local network - perhaps scanning/infecting based on this. Any ideas what would cause these session logs? Does it look like a specific virus or can you tell which user is infected? Could any of this be normal application behavior?

Users : 192.168.2.x/sourceport <-> Router 12.122.25.3/source port from router  -->remote computer/remote port (on internet somtimes a local host)

Here is some 'normal' traffic web sessions for this user:
192.168.2.38/2602 (00:0c:41:be:22:00) <-> 12.122.25.3/26921 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2603 (00:0c:41:be:22:00) <-> 12.122.25.3/26922 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2604 (00:0c:41:be:22:00) <-> 12.122.25.3/26923 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2605 (00:0c:41:be:22:00) <-> 12.122.25.3/26924 ---> 66.22.201.189/80 TCP CLOSED to=1467
 192.168.2.38/2606 (00:0c:41:be:22:00) <-> 12.122.25.3/26925 ---> 66.22.201.189/80 TCP CLOSED to=1466

Here is the suspicious traffic:
192.168.2.90/1360 (00:16:76:5c:10:95) <-> 12.122.25.3/19132 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19133 ---> 192.168.2.90/1360 TCP CLOSED to=115
 192.168.2.90/1361 (00:16:76:5c:10:95) <-> 12.122.25.3/19134 ---> 192.168.2.38/139 TCP CLOSED to=115
192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19135 ---> 192.168.2.90/1361 TCP CLOSED to=115
 192.168.2.90/1362 (00:16:76:5c:10:95) <-> 12.122.25.3/19136 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19137 ---> 192.168.2.90/1362 TCP CLOSED to=115
 192.168.2.86/1520 (00:13:20:c2:ad:84) <-> 12.122.25.3/19138 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19139 ---> 192.168.2.86/1520 TCP CLOSED to=101
 192.168.2.86/1521 (00:13:20:c2:ad:84) <-> 12.122.25.3/28032 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28033 ---> 192.168.2.86/1521 TCP CLOSED to=101
 192.168.2.86/1522 (00:13:20:c2:ad:84) <-> 12.122.25.3/28034 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28035 ---> 192.168.2.86/1522 TCP CLOSED to=101
192.168.2.86/137 (00:13:20:c2:ad:84) <-> 12.122.25.3/6856 ---> 192.168.2.38/137 UDP MAPPED to=101

It appears one of these two users has a virus and is trying to exploit the other? Any ideas? Thanks in advance
0
Comment
Question by:pixel3000
3 Comments
 
LVL 4

Accepted Solution

by:
imreble1 earned 500 total points
ID: 17087502
Hard to say, Chode does run @ these ports, but you are also probably using shares correct? Looks like normal traffic between two hosts .38 and .86 . the 1522 is sql traffic. Chode http://www.glocksoft.com/trojan_list/Chode.htm

~DC
Fishnetsecurity.com
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Fortinet FWs backdoor vulnerability 3 85
iptables and udp ports 23 81
sftp access 4 49
suspending the anti virus 6 105
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now