I think you have it backwards. Interface x10 is my Internal (Protected) nic interface.
So I read this as something connected to the inside, trying to go out using bogus IP addresses. I have deleted some of the logs to keep mail packet lower... Please correct me if I am reading this wrong! Danny -----Original Message----- From: Steve Leach [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 4:38 PM To: [EMAIL PROTECTED] Subject: Re: [gb-users] Something very fishy here! Cox, Danny H. wrote: >Is anyone else seeing the same type of traffic listed below? > > > >The traffic implies one of the following: > >1. Trojan/virus/worm > >2. Hacked access using an internal system as waypoint > >3. Internal hacker (employee or guest) > >4. Portal vulnerability - netmeeting, IM... > > > >If I did not know better, I would say this was Nimda traffic. > > > >Strangely enough, the traffic has not returned. I have personally >scanned all systems, verified every system is current and checked the >logs - NOTHING. > > > >I am fairly tightly locked down and have a three tiered AV solution. All >scans come up 100% clean; neither real-time, manual, nor online scans >show any infection(s) that would explain this. My anti-spyware software >finds nothing either. > > > >With all internal systems checked and rechecked, the only other >possibility would be vulnerability at the firewall. > > > >I had some RDP tunnels open, but have since closed them (no change). > > > >Is anyone aware of ANY means of producing this traffic I may have >overlooked??? > > > >Thanks, > > > >Danny > > > >ALARM NO: 2 > > DATE: Thu 2004-01-22 18:55:22 GMT > > INTERFACE: Protected (xl0) > >INTERFACE TYPE: Protected > > ALARM TYPE: Possible spoof > > IP PACKET: TCP [101.138.48.144/1707]-->[64.35.110.11/80] l=0 >f=0x2 > > [101.138.48.144/1707]-->[64.35.110.11/http] > > > >DETAILED DESCRIPTION: > > Return interface for IP packet is different than arrival. > > > >----------------------------------------------------------------------- - >----- > > > > ALARM NO: 3 > > DATE: Thu 2004-01-22 18:55:22 GMT > > INTERFACE: Protected (xl0) > >INTERFACE TYPE: Protected > > ALARM TYPE: Possible spoof > > IP PACKET: TCP [1.210.252.124/1295]-->[62.140.213.144/80] l=0 >f=0x2 > > [1.210.252.124/1295]-->[web2.vnunet.com/http] > > > >DETAILED DESCRIPTION: > > Return interface for IP packet is different than arrival. > > > > >------------------------------------------------------ >To unsubscribe: [EMAIL PROTECTED] >For additional commands: [EMAIL PROTECTED] >Archive: http://archives.gnatbox.com/gb-users/ > > > > Nothing seen here - a few hundred scans per day at the normal perimeter (external) but no activity that looks like external traffic on internal network. Your 'mobile' users all check out I take it? No-one allowed any salesmen to plug anything into the network that was not 100% validated? No WiFi stuff installed anywhere? Other than that, the premise looks as you stated - have to say the Gnatbox's have proven very solid up to now - hope there is no flaw in them. -- Best Regards, Steve Leach Network Manager MI International Ltd ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
