From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: Lukasz Hejnak <sziftgroup@wp.pl>
Cc: netfilter@lists.netfilter.org
Subject: Re: Strange broadcasts
Date: Mon, 18 Apr 2005 13:30:05 -0500 [thread overview]
Message-ID: <4263FCAD.8080603@riverviewtech.net> (raw)
In-Reply-To: <20050418162301.GA3711@szift.net.autocom.pl>
This looks like some extremely weird traffic. Normal M$ RPC traffic should not going to the broadcast address (.255 on each respective subnet). I'd be more apt to believe that this is traffic that is looking for an exploit in something. Can you get a TCPDump of the traffic on these ports vs just logs? Based on the logs the traffic is initiating from one or more local systems out to the network. I'd start by making sure that there is not breach on any of your systems. Try looking at a TCPDump, that will give you more information. What systems have the IPs of 192.168.10.1 and 192.168.11.1 as these appear to be source systems. I'm a bit perplexed by the fact that your firewall is sending with it's source to it's network. This would make me think that something might be running on it looking for an exploit.
Grant. . . .
Lukasz Hejnak wrote:
> Hi
> I've started receiving some strange broadcast information on my firewall
> it starts in the logs around ten days ago and looks like this:
>
> INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=240 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220
> INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=234 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214
>
> INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=240 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220
> INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=234 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214
>
> INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=240 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220
> INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=234 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214
>
> a few first occurences had SPT and DPT 137, and now it looks like the above
> happens about every 12 minutes, and I can't seem to see what's causing this
> the server is running only apache and exim
> the eth1 is the internet, eth{0,2} are just two connections to two PCs I've
> got at home (had a spare nic and no cash for a hub ;)
>
> anybody had a similar case?
next prev parent reply other threads:[~2005-04-18 18:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-18 16:23 Strange broadcasts Lukasz Hejnak
2005-04-18 18:30 ` Taylor, Grant [this message]
2005-04-18 19:25 ` Jason Opperisano
-- strict thread matches above, loose matches on Subject: below --
2005-04-18 16:40 Piszcz, Justin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4263FCAD.8080603@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
--cc=sziftgroup@wp.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox