[fw-wiz] Strange Traffic

Hi All:

I was wondering if anyone else has run into this and know what may be
causing it. Recently my IDS started to log several suspicious entries,
specifically something (one or more internal machines) attempts to connect
to various IP addresses from source port 25 to a random high port. Here are
some specifics:

1. The internal IP addresses are legitimate addresses in the sense that they
are the same as my 3 internal class C addresses, but spoofed because I know
about 40-50 of the addresses they claim to be from are not currently
assigned to any workstations.
2. Source IP is that of an internal address, source port is 25.
3. Destination IP is usually something in Taiwan (I've noticed about 6
addresses there, one in Korea, one in Phoenix and one in Atlanta). Many
appear to be dynamically assigned. One even resolved as an ADSL IP address.
Destination port is a random high port, anywhere from about 17,000 something
to as high as 53,000 something.
4. The IDS is logging it as SMTP Malformed Data - Malformed Banner.
5. The events are logged about once every other day, and a total of about
50-60 are logged within about 10 minutes time, and start anywhere from 3:30
AM to 5:30 AM.

This has been happening for about 2 weeks now. My firewall is blocking the
outgoing traffic but I can't seem to pin down what is causing it. We run
updated AV and a corporate version of Anti Spyware, neither of which are
logging anything unusual. We also run a popular vulnerability scanner
regularly that hasn't come up with anything unusual. Does anyone have any
ideas if this is some sort of Spyware? Any ideas on tracking down the
source? I'm open to any and all suggestions. Thanks for taking the time to
read this.


firewall-wizards mailing list