RE: Strange network activity

From: Dave Paris (dparis_at_w3works.com)
Date: 04/16/04

  • Next message: Roach4: "Follow-up: Strange network activity"
    To: <incidents@securityfocus.com>
    Date: Fri, 16 Apr 2004 14:53:12 -0400
    
    

    > -----Original Message-----
    > From: Roach4 [mailto:ml@undergroundportal.com]
    > Sent: Friday, April 16, 2004 10:39 AM
    > To: incidents@securityfocus.com
    > Subject: Strange network activity
    >
    >
    > Hi,
    >
    > Yesterday we noticed some strange traffic from some internal machines
    > trying to contact Japan IP addresses on the port 54875 like 300 times a
    > second. We left the office without worrying too much and we came back this
    > morning to see that there was external Japan IP addresses which was
    > querying internal machines for the RPC vulnerability.
    [...]

    "noticed...internal machines trying to contact...like 300 times a second."
    "left the office without worrying too much"

    Please tell me you left out a line line in your message like "so we
    firewalled off the internal machines from contacting (inbound and outbound)
    the suspect networks."

    If so, please disregard the remainder of this note.

    If not...
    Pardon me for throwing decorum (and sane-sounding responses) out the window,
    but WHAT IN THE HOLY HELL WERE YOU PEOPLE FREAKIN' THINKING WHEN YOU JUST UP
    AND LEFT??!! I mean really... 300 times a second and this didn't set off
    any bells in your heads that there just *might* be a wee bit of a problem on
    your network?!?

    [Shaking my head in disbelief]
    -dsp

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Roach4: "Follow-up: Strange network activity"

    Relevant Pages

    • Re: debugging routing problem
      ... The setup is that I have a linux box as the firewall/router ... I just added a wireless router/hub onto the internal network. ... internal machines sending out requests, ... I'd suspect that your wireless router has somehow munged the routing ...
      (comp.os.linux.networking)
    • Re: DNS resolution based on source network
      ... A machine in network 10.3.0.0/16 is contacting DNS to lookup ... I do it so all my internal machines are XXX.maplepark.com, using the private network addresses while the external world gets my public addresses. ... It does require separate zone files though. ...
      (comp.protocols.dns.bind)
    • udp multicast packet leakage out to wrong network
      ... each blade has 2 network cards in it. ... with no packets 'leaking' out onto the network. ... The internal machines cannot ping/access any machines on the outside ...
      (comp.os.linux.networking)
    • Re: NAT port mapping problem..
      ... I hope that the internal machines work like a machine in ... the internal machines should access ... the resources of the internal network by u turn. ...
      (microsoft.public.windows.server.networking)