Incidents
Re: Odd traffic again...... internal --> 100.100.100.1 (137-udp) Aug 24 2006 03:59PM
loki74 (loki74 gmail com)
Static IP.
Nothing in LMHosts.
There is no IP of 100.100.100.1, I added a host of 100.100.100.2, and nmap'd.
It is odd...

On 8/24/06, Joel Esler <joel.esler (at) sourcefire (dot) com [email concealed]> wrote:
> Do you have an IP on your network of 100.100.100.1?
>
> Joel
>
>
> On Thu, Aug 24, 2006 at 10:42:28AM -0400, loki74 apparently sent me:
> > Hello,
> > I have posted before about a windows box that sent traffic to
> > different ip's to port 137, and never really got a solution to it. We
> > have sinced wiped that box. Now we have a new box, built in a DMZ
> > (Freshh install, all patches applied) and just connected it to the
> > internal lan (behind fw). The box now sends UDP port 137 to
> > 100.100.100.1. The permiter firewall blocks this, and that is where
> > it was noticed. I have started logging on my firewall to find out who
> > it was, and it is an internal box.
> >
> > Cisco ACL:
> >
> > Aug 24 12:28:42: %SEC-6-IPACCESSLOGP: list internal_out denied udp
> > x.x.x.x(49375) -> 100.100.100.1(137), 5 packets
> >
> > Firewall Log:
> >
> > eth4c0:i[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167
> > UDP: 137 -> 137
> > eth4c0:I[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167
> > UDP: 137 -> 137
> > eth1c0:o[78]: 192.168.x.x -> 100.100.100.1 (UDP) len=78 id=13167
> > UDP: 137 -> 137
> > eth1c0:O[78]: 68.163.87.34 -> 100.100.100.1 (UDP) len=78 id=13167
> > UDP: 49902 -> 137
> >
> > I am now capturing the traffic again, though there is nothing in it.
> > Anyone ever seen this?
> >
> > T
> >
> > ------------------------------------------------------------------------
------
> > This List Sponsored by: Black Hat
> >
> > Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal
> > tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security
> > environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500
> > delegates from 40+ nations.
> > http://www.blackhat.com
> > ------------------------------------------------------------------------
------
> >
> +---------------------------------------------------------------------+
> joel esler senior security consultant 1-706-627-2101
> Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
> Snort - Open Source Network IPS/IDS -- http://www.snort.org
> gpg key: http://demo.sourcefire.com/jesler.pgp.key
> aim:eslerjoel ymsg:eslerjoel gtalk:eslerj
> +---------------------------------------------------------------------+
>

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus