Strange broadcasts

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Strange broadcasts
@ 2005-04-18 16:23 Lukasz Hejnak
  2005-04-18 18:30 ` Taylor, Grant
  0 siblings, 1 reply; 4+ messages in thread
From: Lukasz Hejnak @ 2005-04-18 16:23 UTC (permalink / raw)
  To: netfilter

Hi
I've started receiving some strange broadcast information on my firewall
it starts in the logs around ten days ago and looks like this:

INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=240 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=234 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=240 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=234 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=240 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=234 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

a few first occurences had SPT and DPT 137, and now it looks like the above
happens about every 12 minutes, and I can't seem to see what's causing this
the server is running only apache and exim
the eth1 is the internet, eth{0,2} are just two connections to two PCs I've
got at home (had a spare nic and no cash for a hub ;)

anybody had a similar case?

-- 
with regards
Lukasz Hejnak
szift@wp.pl


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Strange broadcasts
  2005-04-18 16:23 Strange broadcasts Lukasz Hejnak
@ 2005-04-18 18:30 ` Taylor, Grant
  2005-04-18 19:25   ` Jason Opperisano
  0 siblings, 1 reply; 4+ messages in thread
From: Taylor, Grant @ 2005-04-18 18:30 UTC (permalink / raw)
  To: Lukasz Hejnak; +Cc: netfilter

This looks like some extremely weird traffic.  Normal M$ RPC traffic should not going to the broadcast address (.255 on each respective subnet).  I'd be more apt to believe that this is traffic that is looking for an exploit in something.  Can you get a TCPDump of the traffic on these ports vs just logs?  Based on the logs the traffic is initiating from one or more local systems out to the network.  I'd start by making sure that there is not breach on any of your systems.  Try looking at a TCPDump, that will give you more information.  What systems have the IPs of 192.168.10.1 and 192.168.11.1 as these appear to be source systems.  I'm a bit perplexed by the fact that your firewall is sending with it's source to it's network.  This would make me think that something might be running on it looking for an exploit.

Grant. . . .

Lukasz Hejnak wrote:
> Hi
> I've started receiving some strange broadcast information on my firewall
> it starts in the logs around ten days ago and looks like this:
> 
> INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=240 TOS=0x00 
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
> INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=234 TOS=0x00 
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
> 
> INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=240 TOS=0x00 
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
> INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=234 TOS=0x00 
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
> 
> INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=240 TOS=0x00 
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
> INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=234 TOS=0x00 
> PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
> 
> a few first occurences had SPT and DPT 137, and now it looks like the above
> happens about every 12 minutes, and I can't seem to see what's causing this
> the server is running only apache and exim
> the eth1 is the internet, eth{0,2} are just two connections to two PCs I've
> got at home (had a spare nic and no cash for a hub ;)
> 
> anybody had a similar case?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Strange broadcasts
  2005-04-18 18:30 ` Taylor, Grant
@ 2005-04-18 19:25   ` Jason Opperisano
  0 siblings, 0 replies; 4+ messages in thread
From: Jason Opperisano @ 2005-04-18 19:25 UTC (permalink / raw)
  To: netfilter

On Mon, Apr 18, 2005 at 01:30:05PM -0500, Taylor, Grant wrote:
> This looks like some extremely weird traffic.  Normal M$ RPC traffic should 
> not going to the broadcast address (.255 on each respective subnet).

MS RPC uses TCP 135, not UDP 137 or 138.  netbios name (137) and
datagram (138) are most definitely broadcast-based (in the absence of a
WINS server).

-j

--
"Stewie: They're getting nude! I mustn't watch, it's not the proper
 thing to...Wow! I say, nice ones, Janine! And look at Lisa in all of her
 curvaceous glory! Heavens, it appears that my weewee has been stricken
 with rigor mortis!"
        --Family Guy


^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: Strange broadcasts
@ 2005-04-18 16:40 Piszcz, Justin
  0 siblings, 0 replies; 4+ messages in thread
From: Piszcz, Justin @ 2005-04-18 16:40 UTC (permalink / raw)
  To: Lukasz Hejnak, netfilter

Looks like netbios/windows sharing traffic to me.
Turn your other PC's off and/or disable NetBIOS / filesharing and see if
it persists.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Lukasz
Hejnak
Sent: Monday, April 18, 2005 12:23 PM
To: netfilter@lists.netfilter.org
Subject: Strange broadcasts

Hi
I've started receiving some strange broadcast information on my firewall
it starts in the logs around ten days ago and looks like this:

INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=240
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=192.168.10.255 LEN=234
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=240 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth1 OUT= MAC= SRC=$MYEXTIP DST=$MYEXTNET.255 LEN=234 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=240
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=220 
INPUT:IN=eth2 OUT= MAC= SRC=192.168.11.1 DST=192.168.11.255 LEN=234
TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 

a few first occurences had SPT and DPT 137, and now it looks like the
above
happens about every 12 minutes, and I can't seem to see what's causing
this
the server is running only apache and exim
the eth1 is the internet, eth{0,2} are just two connections to two PCs
I've
got at home (had a spare nic and no cash for a hub ;)

anybody had a similar case?

-- 
with regards
Lukasz Hejnak
szift@wp.pl



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-04-18 19:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-18 16:23 Strange broadcasts Lukasz Hejnak
2005-04-18 18:30 ` Taylor, Grant
2005-04-18 19:25   ` Jason Opperisano
  -- strict thread matches above, loose matches on Subject: below --
2005-04-18 16:40 Piszcz, Justin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox