Re: Is this a virus?

From: Michael (Not-My-Real_Address_at_bigpond.net.au)
Date: 03/16/04 

Date: Tue, 16 Mar 2004 00:42:10 GMT

"Nils Petter Vaskinn" <no@spam.for.me.invalid> wrote in message
news:pan.2004.03.15.09.06.24.937554@spam.for.me.invalid...
> On Sun, 14 Mar 2004 10:01:12 +0000, Michael wrote:
>
> > "Brandon Mitchell" <foo@bar.com> wrote in message
> > news:1056kjnoh53rqd4@news.supernews.com...
> >> Michael wrote:
> >> >>Linux gateway = Redhat
> >> >>Suspect Computer = WinNT Workstation
> >> >
> >> >
> >> > After collecting more details logs it turned out this is a problem
> >> > with
> > the
> >> > linux machine. There was nothing wrong with what the windows-nt
> >> > machine
> > was
> >> > doing.
> >>
> >> Other than running Windows NT? ;^)
> >
> > Huh? I already said it was running windows-nt so knew it was doing so.
> > I'm not quite sure what you mean.
>
> It's a joke.

Its a pretty silly joke then. It had nothing to do with my problem or
solution.

> I'm curious, what kind of problem with the linux machine could make the NT
> machine make a lot of (apparently random) NetBIOS lookups ?

The linux machine was the gateway/router for the internet <-> LAN (NAT).

It was allowing some (legitimate reply) packets onto the LAN without
destination nating them (i.e. they still had my EXTERNAL IP address as the
destination address even though they were being routed INTERALLY by the
linux box).

I have a set up with routing on the NT machine enabled (as it is being used
as a VPN server). The NT appeared to think these packets came from the LAN
so it would try to deliver these packets but could not (as they were not
desined for a network connected to the NT machine). The NT machine would
send an ICMP error response back to the originating machine (trapping this
outgoing response is how I found it) and about 10 seconds latter try to do a
netbios name lookup on that IP address which was logged in the egress
firewall logs on the linux machine.

It all looked a bit scary - like windows viruses - until I tracked a
specific communication path

Here are some outgoing logs in response to my nt machine trying to get the
time from yoyo.aarnet.edu.au (I have outgoing DNS lookups blocked)

Mar 12 14:24:42 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=61.9.192.14 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=30050 PROTO=UDP
SPT=2876 DPT=53 LEN=51
Mar 12 14:24:44 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=192.43.230.1 LEN=56 TOS=0x00 PREC=0x00 TTL=127 ID=30562 PROTO=ICMP
TYPE=3 CODE=3 [SRC=192.43.230.1 DST=144.137.88.XXX LEN=76 TOS=0x00 PREC=0x00
TTL=52 ID=0 DF PROTO=UDP SPT=123 DPT=6 LEN=56 ]
Mar 12 14:24:46 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=61.9.192.14 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=31330 PROTO=UDP
SPT=2876 DPT=53 LEN=51
Mar 12 14:24:54 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=192.43.230.1 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=31586 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 12 14:24:56 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=192.43.230.1 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=31842 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 12 14:24:57 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=192.43.230.1 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=32098 PROTO=UDP
SPT=137 DPT=137 LEN=58
Mar 12 14:52:22 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
DST=61.9.192.14 LEN=74 TOS=0x00 PREC=0x00 TTL=127 ID=52578 PROTO=UDP
SPT=2878 DPT=53 LEN=54

NOTE: the ip address DST=144.137.88.XXX should never appear on the lan so
the nt machine should never have received it.

I guess the whole episode show the usefulness of firwalling both incoming
and outgoing packets and only allowing packets you want to allow (and using
bug free software)

> --
> NPV
>
> "the large print giveth, and the small print taketh away"
> Tom Waits - Step right up
>

Relevant Pages

  • Re: Is this a virus?
    ... Its a pretty silly joke then. ... The NT appeared to think these packets came from the LAN ... send an ICMP error response back to the originating machine (trapping this ... Here are some outgoing logs in response to my nt machine trying to get the ...
    (comp.os.linux.security)
  • Re: Is this a virus?
    ... > Its a pretty silly joke then. ... The NT appeared to think these packets came from the ... > send an ICMP error response back to the originating machine (trapping this ... > outgoing response is how I found it) and about 10 seconds latter try to do ...
    (comp.os.linux.security)
  • Re: Is this a virus?
    ... > Its a pretty silly joke then. ... The NT appeared to think these packets came from the ... > send an ICMP error response back to the originating machine (trapping this ... > outgoing response is how I found it) and about 10 seconds latter try to do ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... There is a huge debate of whether it's better to provide no response ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email
    ... emails being sent to AOL and Comcast plus a few other mom and pops to hang ... I have that there is no way that a DNS inspect command could cause only ... long responses have the response dropped, ... 1500 byte packets these days, that they can just send back longer ...
    (comp.dcom.sys.cisco)