Guest Kris Posted August 14, 2008 Posted August 14, 2008 Hello, I am looking for advice on how to determine where some potentially malicious network traffic is originating from? The situation is the Fsecure Firewall on a number of client machines on our network has blocked traffic reported as the following: Inbound TCP Malware - Bagle.Y in Remote port 9500 Remote address 192.0.2.42 Local Port 2535 Local address 192.168.16.24 All reports have identified the same remote IP address. On Monday morning I configured another linux based firewall (in addition to our security device firewall) that acts as a transparent bridge. This only allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday Fsecure has continued blocking the threat on port 9500. Therefore I believe the traffic is internal and the IP of the threat is spoofed. We also have a wireless access point which I turned off last night. I am concerned a computer on our network is infected with the worm. Is there a way I can sniff for traffic originating from port 9500 on our network to determine the ip address it's originating from? We have 3 fairly modern switches, if I was to use a packet sniffer would I need to run a sniffer on each switch? Thanks, Kip. Quote
Guest David H. Lipman Posted August 14, 2008 Posted August 14, 2008 From: "Kris" <Kris@discussions.microsoft.com> | Hello, | I am looking for advice on how to determine where some potentially malicious | network traffic is originating from? | The situation is the Fsecure Firewall on a number of client machines on our | network has blocked traffic reported as the following: | Inbound TCP | Malware - Bagle.Y in | Remote port 9500 | Remote address 192.0.2.42 | Local Port 2535 | Local address 192.168.16.24 | All reports have identified the same remote IP address. | On Monday morning I configured another linux based firewall (in addition to | our security device firewall) that acts as a transparent bridge. This only | allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday | Fsecure has continued blocking the threat on port 9500. Therefore I believe | the traffic is internal and the IP of the threat is spoofed. | We also have a wireless access point which I turned off last night. | I am concerned a computer on our network is infected with the worm. Is there | a way I can sniff for traffic originating from port 9500 on our network to | determine the ip address it's originating from? | We have 3 fairly modern switches, if I was to use a packet sniffer would I | need to run a sniffer on each switch? | Thanks, | Kip. Actually, You would have to sniff at each port of a switch because E-Switches are not like hubs and each port is its own collision domain. What does you border gateway/FireWall indicate ? If you don't have one, you should consider a FireWall on the LAN/WAN barrier. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest VanguardLH Posted August 14, 2008 Posted August 14, 2008 Kris wrote: <span style="color:blue"> > Hello, > > I am looking for advice on how to determine where some potentially malicious > network traffic is originating from? > > The situation is the Fsecure Firewall on a number of client machines on our > network has blocked traffic reported as the following: > > Inbound TCP > Malware - Bagle.Y in > Remote port 9500 > Remote address 192.0.2.42 > Local Port 2535 > Local address 192.168.16.24 > > All reports have identified the same remote IP address. > > On Monday morning I configured another linux based firewall (in addition to > our security device firewall) that acts as a transparent bridge. This only > allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday > Fsecure has continued blocking the threat on port 9500. Therefore I believe > the traffic is internal and the IP of the threat is spoofed. > > We also have a wireless access point which I turned off last night. > > I am concerned a computer on our network is infected with the worm. Is there > a way I can sniff for traffic originating from port 9500 on our network to > determine the ip address it's originating from? > > We have 3 fairly modern switches, if I was to use a packet sniffer would I > need to run a sniffer on each switch? > > Thanks, > > Kip.</span> It's not a remote host. 192.0.2.42 is within an IANA reserved range for private use. That is, the host is on your intranet. Could be the malware is making the usurped host use a different IP address. What do you see when you run "arp -a" which would show the MAC address of the offending host? I don't know likely it is that malware changes the MAC address. The problem is then trying to find out which host has that MAC address. You could block that address at every switch or router and wait until the user complains about network connectivity. Quote
Guest Lon Posted August 16, 2008 Posted August 16, 2008 David H. Lipman wrote:<span style="color:blue"> > From: "Kris" <Kris@discussions.microsoft.com> > > | Hello, > > | I am looking for advice on how to determine where some potentially malicious > | network traffic is originating from? > > | The situation is the Fsecure Firewall on a number of client machines on our > | network has blocked traffic reported as the following: > > | Inbound TCP > | Malware - Bagle.Y in > | Remote port 9500 > | Remote address 192.0.2.42 > | Local Port 2535 > | Local address 192.168.16.24 > > | All reports have identified the same remote IP address. > > | On Monday morning I configured another linux based firewall (in addition to > | our security device firewall) that acts as a transparent bridge. This only > | allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday > | Fsecure has continued blocking the threat on port 9500. Therefore I believe > | the traffic is internal and the IP of the threat is spoofed. > > | We also have a wireless access point which I turned off last night. > > | I am concerned a computer on our network is infected with the worm. Is there > | a way I can sniff for traffic originating from port 9500 on our network to > | determine the ip address it's originating from? > > | We have 3 fairly modern switches, if I was to use a packet sniffer would I > | need to run a sniffer on each switch? > > | Thanks, > > | Kip. > > Actually, You would have to sniff at each port of a switch because E-Switches are not like > hubs and each port is its own collision domain. > > What does you border gateway/FireWall indicate ? > > If you don't have one, you should consider a FireWall on the LAN/WAN barrier. > </span> Portspan the switch closest to the firewall to a computer inside. Might be a good idea to use only a fresh install or a Unix/Linux box. Wireshark is pretty easy to use. Quote
Guest Geoff Posted August 16, 2008 Posted August 16, 2008 On Thu, 14 Aug 2008 09:39:01 -0700, Kris <Kris@discussions.microsoft.com> wrote: <span style="color:blue"> >Remote address 192.0.2.42 </span> This is in the IANA reserved range for what used to be Class C private networks as such it is not back-traceable. Net 192/8 is ARIN controlled and reserved space. Your malware is spoofing the originating IP address, probably through Berkeley raw sockets on a Linux box or a Windows box with raw sockets enabled. Sniffer on each switch? Definitely, since you can't trace the IP. Grab one of the Fsecure machines reporting the traffic and sniff that one for the port 9500 traffic. Identify the MAC address and then sniff that switch, keep going up the network chain until you identify the source, you are lucky it's periodic. Quote
Guest kalyan Posted September 5, 2008 Posted September 5, 2008 hi try the link ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip Use the scanner warm regards kalyan "Kris" <Kris@discussions.microsoft.com> wrote in message news:566AEB1B-82E5-4A74-9CF6-28A4A49DEAA9@microsoft.com...<span style="color:blue"> > Hello, > > I am looking for advice on how to determine where some potentially > malicious > network traffic is originating from? > > The situation is the Fsecure Firewall on a number of client machines on > our > network has blocked traffic reported as the following: > > Inbound TCP > Malware - Bagle.Y in > Remote port 9500 > Remote address 192.0.2.42 > Local Port 2535 > Local address 192.168.16.24 > > All reports have identified the same remote IP address. > > On Monday morning I configured another linux based firewall (in addition > to > our security device firewall) that acts as a transparent bridge. This only > allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday > Fsecure has continued blocking the threat on port 9500. Therefore I > believe > the traffic is internal and the IP of the threat is spoofed. > > We also have a wireless access point which I turned off last night. > > I am concerned a computer on our network is infected with the worm. Is > there > a way I can sniff for traffic originating from port 9500 on our network to > determine the ip address it's originating from? > > We have 3 fairly modern switches, if I was to use a packet sniffer would I > need to run a sniffer on each switch? > > Thanks, > > Kip. </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.