Re: That don't look good!

From: Zow (zow@presume.llnl.gov)
Date: 10/03/01


Message-Id: <200110031555.IAA04952@smtp-1.llnl.gov>
To: Adam Shephard <adam.shephard@firstfederalbanking.com>
Subject: Re: That don't look good! 
Date: Wed, 03 Oct 2001 08:55:22 -0700
From: "Zow" Terry Brugger <zow@presume.llnl.gov>

Adam,

> I'm hoping somebody can give me an honest, "don't worry, it's nothing" kind
> of answer but I don't really see that happening.

Well, I can't say that, but I would say that there's nothing to freak out
about yet. Figure out what's causing the activity, then respond accordingly.

> This weekend I started getting entries in my FW logs indicating that
> outbound packets were denied. The addresses were spoofed-all either 172. or
> 10.. This happens every day starting a couple of minutes before noon and
> goes on for 15 minutes exactly. During that time I get between 80 and 100
> entries, all denied (I log allows too). Then it stops until the next day.

How fortunate - that should make it much easier to track down.

> Any ideas?

It could either be some malicious code, but you seem to have explored that
option rather throughly, so my guess would be that it's something that was
installed legitimately that's just trying to do something stupid.

1. What changed around the time this activity started? Software / patches
installed? New machines added to the network? Configuration changes?

2. What machine is producing these packets? tcpdump -e should give you the
ethernet address which you can hopefully identify in your arp table.

I bet that when you answer both those questions, the culprit will pop right
out at you. At the very least, it should give you a machine to sit down at and
start poking around in the process tables / task manager. From there, I would
hope that you can identify anything suspicious.

Hope this helps,
Terry

import internet.mail.StandardDisclaimer;