Is anyone else seeing the same type of traffic listed below?Nothing seen here - a few hundred scans per day at the normal perimeter (external) but no activity that looks like external traffic on internal network. Your 'mobile' users all check out I take it? No-one allowed any salesmen to plug anything into the network that was not 100% validated? No WiFi stuff installed anywhere?
The traffic implies one of the following:
1. Trojan/virus/worm
2. Hacked access using an internal system as waypoint
3. Internal hacker (employee or guest)
4. Portal vulnerability - netmeeting, IM...
If I did not know better, I would say this was Nimda traffic.
Strangely enough, the traffic has not returned. I have personally scanned all systems, verified every system is current and checked the logs - NOTHING.
I am fairly tightly locked down and have a three tiered AV solution. All scans come up 100% clean; neither real-time, manual, nor online scans show any infection(s) that would explain this. My anti-spyware software finds nothing either.
With all internal systems checked and rechecked, the only other possibility would be vulnerability at the firewall.
I had some RDP tunnels open, but have since closed them (no change).
Is anyone aware of ANY means of producing this traffic I may have overlooked???
Thanks,
Danny
ALARM NO: 2
DATE: Thu 2004-01-22 18:55:22 GMT
INTERFACE: Protected (xl0)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: TCP [101.138.48.144/1707]-->[64.35.110.11/80] l=0 f=0x2
[101.138.48.144/1707]-->[64.35.110.11/http]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
------------------------------------------------------------------------ -----
ALARM NO: 3
DATE: Thu 2004-01-22 18:55:22 GMT
INTERFACE: Protected (xl0)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: TCP [1.210.252.124/1295]-->[62.140.213.144/80] l=0 f=0x2
[1.210.252.124/1295]-->[web2.vnunet.com/http]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
------------------------------------------------------------------------ -----
ALARM NO: 4
DATE: Thu 2004-01-22 18:55:22 GMT
INTERFACE: Protected (xl0)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: TCP [211.226.166.239/1033]-->[62.140.213.141/80] l=0 f=0x2
[211.226.166.239/1033]-->[web1.vnunet.com/http]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
------------------------------------------------------------------------ -----
ALARM NO: 5
DATE: Thu 2004-01-22 18:55:22 GMT
INTERFACE: Protected (xl0)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: TCP [211.226.166.239/1033]-->[62.140.213.144/80] l=0 f=0x2
[211.226.166.239/1033]-->[web2.vnunet.com/http]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
------------------------------------------------------------------------ -----
------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
Other than that, the premise looks as you stated - have to say the Gnatbox's have proven very solid up to now - hope there is no flaw in them.
-- Best Regards,
Steve Leach Network Manager MI International Ltd
------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
