Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Strange traffic found - analysis help

Posted on 2006-07-05
3
Medium Priority
?
273 Views
Last Modified: 2010-04-09
Here are some sessions happening on a remote network I am monitoring. The network consists of a router and series of APs in a public access network  = users should be only browsing/emailing/vpn etc. It appears a user is connecting to another user on the local network - perhaps scanning/infecting based on this. Any ideas what would cause these session logs? Does it look like a specific virus or can you tell which user is infected? Could any of this be normal application behavior?

Users : 192.168.2.x/sourceport <-> Router 12.122.25.3/source port from router  -->remote computer/remote port (on internet somtimes a local host)

Here is some 'normal' traffic web sessions for this user:
192.168.2.38/2602 (00:0c:41:be:22:00) <-> 12.122.25.3/26921 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2603 (00:0c:41:be:22:00) <-> 12.122.25.3/26922 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2604 (00:0c:41:be:22:00) <-> 12.122.25.3/26923 ---> 66.22.201.189/80 TCP CLOSED to=1467
192.168.2.38/2605 (00:0c:41:be:22:00) <-> 12.122.25.3/26924 ---> 66.22.201.189/80 TCP CLOSED to=1467
 192.168.2.38/2606 (00:0c:41:be:22:00) <-> 12.122.25.3/26925 ---> 66.22.201.189/80 TCP CLOSED to=1466

Here is the suspicious traffic:
192.168.2.90/1360 (00:16:76:5c:10:95) <-> 12.122.25.3/19132 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19133 ---> 192.168.2.90/1360 TCP CLOSED to=115
 192.168.2.90/1361 (00:16:76:5c:10:95) <-> 12.122.25.3/19134 ---> 192.168.2.38/139 TCP CLOSED to=115
192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19135 ---> 192.168.2.90/1361 TCP CLOSED to=115
 192.168.2.90/1362 (00:16:76:5c:10:95) <-> 12.122.25.3/19136 ---> 192.168.2.38/139 TCP CLOSED to=115
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19137 ---> 192.168.2.90/1362 TCP CLOSED to=115
 192.168.2.86/1520 (00:13:20:c2:ad:84) <-> 12.122.25.3/19138 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/19139 ---> 192.168.2.86/1520 TCP CLOSED to=101
 192.168.2.86/1521 (00:13:20:c2:ad:84) <-> 12.122.25.3/28032 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28033 ---> 192.168.2.86/1521 TCP CLOSED to=101
 192.168.2.86/1522 (00:13:20:c2:ad:84) <-> 12.122.25.3/28034 ---> 192.168.2.38/139 TCP CLOSED to=101
 192.168.2.38/139 (00:0c:41:be:22:00) <-> 12.122.25.3/28035 ---> 192.168.2.86/1522 TCP CLOSED to=101
192.168.2.86/137 (00:13:20:c2:ad:84) <-> 12.122.25.3/6856 ---> 192.168.2.38/137 UDP MAPPED to=101

It appears one of these two users has a virus and is trying to exploit the other? Any ideas? Thanks in advance
0
Comment
Question by:pixel3000
3 Comments
 
LVL 4

Accepted Solution

by:
imreble1 earned 2000 total points
ID: 17087502
Hard to say, Chode does run @ these ports, but you are also probably using shares correct? Looks like normal traffic between two hosts .38 and .86 . the 1522 is sql traffic. Chode http://www.glocksoft.com/trojan_list/Chode.htm

~DC
Fishnetsecurity.com
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question