Re: Is this a virus?

From: Alan P (alan_at_btinternet.com)
Date: 03/18/04 

Date: Thu, 18 Mar 2004 21:15:34 +0000 (UTC)

"Michael" <Not-My-Real_Address@bigpond.net.au> wrote in message
news:C3s5c.105053$Wa.58@news-server.bigpond.net.au...
> "Nils Petter Vaskinn" <no@spam.for.me.invalid> wrote in message
> news:pan.2004.03.15.09.06.24.937554@spam.for.me.invalid...
> > On Sun, 14 Mar 2004 10:01:12 +0000, Michael wrote:
> >
> > > "Brandon Mitchell" <foo@bar.com> wrote in message
> > > news:1056kjnoh53rqd4@news.supernews.com...
> > >> Michael wrote:
> > >> >>Linux gateway = Redhat
> > >> >>Suspect Computer = WinNT Workstation
> > >> >
> > >> >
> > >> > After collecting more details logs it turned out this is a problem
> > >> > with
> > > the
> > >> > linux machine. There was nothing wrong with what the windows-nt
> > >> > machine
> > > was
> > >> > doing.
> > >>
> > >> Other than running Windows NT? ;^)
> > >
> > > Huh? I already said it was running windows-nt so knew it was doing
so.
> > > I'm not quite sure what you mean.
> >
> > It's a joke.
>
> Its a pretty silly joke then. It had nothing to do with my problem or
> solution.
>
> > I'm curious, what kind of problem with the linux machine could make the
NT
> > machine make a lot of (apparently random) NetBIOS lookups ?
>
> The linux machine was the gateway/router for the internet <-> LAN (NAT).
>
> It was allowing some (legitimate reply) packets onto the LAN without
> destination nating them (i.e. they still had my EXTERNAL IP address as the
> destination address even though they were being routed INTERALLY by the
> linux box).
>
> I have a set up with routing on the NT machine enabled (as it is being
used
> as a VPN server). The NT appeared to think these packets came from the
LAN
> so it would try to deliver these packets but could not (as they were not
> desined for a network connected to the NT machine). The NT machine would
> send an ICMP error response back to the originating machine (trapping this
> outgoing response is how I found it) and about 10 seconds latter try to do
a
> netbios name lookup on that IP address which was logged in the egress
> firewall logs on the linux machine.
>
> It all looked a bit scary - like windows viruses - until I tracked a
> specific communication path
>
> Here are some outgoing logs in response to my nt machine trying to get the
> time from yoyo.aarnet.edu.au (I have outgoing DNS lookups blocked)
>
> Mar 12 14:24:42 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=61.9.192.14 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=30050 PROTO=UDP
> SPT=2876 DPT=53 LEN=51
> Mar 12 14:24:44 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=192.43.230.1 LEN=56 TOS=0x00 PREC=0x00 TTL=127 ID=30562 PROTO=ICMP
> TYPE=3 CODE=3 [SRC=192.43.230.1 DST=144.137.88.XXX LEN=76 TOS=0x00
PREC=0x00
> TTL=52 ID=0 DF PROTO=UDP SPT=123 DPT=6 LEN=56 ]
> Mar 12 14:24:46 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=61.9.192.14 LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=31330 PROTO=UDP
> SPT=2876 DPT=53 LEN=51
> Mar 12 14:24:54 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=192.43.230.1 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=31586 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 12 14:24:56 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=192.43.230.1 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=31842 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 12 14:24:57 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=192.43.230.1 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=32098 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> Mar 12 14:52:22 Gateway kernel: IN=eth1 OUT=ppp0 SRC=172.16.0.10
> DST=61.9.192.14 LEN=74 TOS=0x00 PREC=0x00 TTL=127 ID=52578 PROTO=UDP
> SPT=2878 DPT=53 LEN=54
>
> NOTE: the ip address DST=144.137.88.XXX should never appear on the lan so
> the nt machine should never have received it.
>
> I guess the whole episode show the usefulness of firwalling both incoming
> and outgoing packets and only allowing packets you want to allow (and
using
> bug free software)
>
> > --
> > NPV
> >
> > "the large print giveth, and the small print taketh away"
> > Tom Waits - Step right up
> >
>
>

Lol made me chuckle anyway :-)

Relevant Pages

  • Re: Is this a virus?
    ... Its a pretty silly joke then. ... The NT appeared to think these packets came from the LAN ... send an ICMP error response back to the originating machine (trapping this ... Here are some outgoing logs in response to my nt machine trying to get the ...
    (comp.os.linux.security)
  • Re: Is this a virus?
    ... Its a pretty silly joke then. ... The NT appeared to think these packets came from the LAN ... send an ICMP error response back to the originating machine (trapping this ... Here are some outgoing logs in response to my nt machine trying to get the ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Is this a virus?
    ... > Its a pretty silly joke then. ... The NT appeared to think these packets came from the ... > send an ICMP error response back to the originating machine (trapping this ... > outgoing response is how I found it) and about 10 seconds latter try to do ...
    (comp.os.linux.security)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... There is a huge debate of whether it's better to provide no response ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email
    ... emails being sent to AOL and Comcast plus a few other mom and pops to hang ... I have that there is no way that a DNS inspect command could cause only ... long responses have the response dropped, ... 1500 byte packets these days, that they can just send back longer ...
    (comp.dcom.sys.cisco)