I think you have it backwards.That's what I meant by "external traffic on internal network" - sorry for confusion - must have been my terminology".
Interface x10 is my Internal (Protected) nic interface.
So I read this as something connected to the inside, trying to go out using bogus IP addresses. I have deleted some of the logs to keep mail packet lower...
Please correct me if I am reading this wrong!
Danny
-----Original Message-----
From: Steve Leach [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 4:38 PM
To: [EMAIL PROTECTED]
Subject: Re: [gb-users] Something very fishy here!
Cox, Danny H. wrote:
Is anyone else seeing the same type of traffic listed below?All
The traffic implies one of the following:
1. Trojan/virus/worm
2. Hacked access using an internal system as waypoint
3. Internal hacker (employee or guest)
4. Portal vulnerability - netmeeting, IM...
If I did not know better, I would say this was Nimda traffic.
Strangely enough, the traffic has not returned. I have personally scanned all systems, verified every system is current and checked the logs - NOTHING.
I am fairly tightly locked down and have a three tiered AV solution.
-scans come up 100% clean; neither real-time, manual, nor online scans show any infection(s) that would explain this. My anti-spyware software finds nothing either.
With all internal systems checked and rechecked, the only other possibility would be vulnerability at the firewall.
I had some RDP tunnels open, but have since closed them (no change).
Is anyone aware of ANY means of producing this traffic I may have overlooked???
Thanks,
Danny
ALARM NO: 2
DATE: Thu 2004-01-22 18:55:22 GMT
INTERFACE: Protected (xl0)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: TCP [101.138.48.144/1707]-->[64.35.110.11/80] l=0 f=0x2
[101.138.48.144/1707]-->[64.35.110.11/http]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
-----------------------------------------------------------------------
-----Nothing seen here - a few hundred scans per day at the normal perimeter (external) but no activity that looks like external traffic on internal network. Your 'mobile' users all check out I take it? No-one allowed any
ALARM NO: 3
DATE: Thu 2004-01-22 18:55:22 GMT
INTERFACE: Protected (xl0)
INTERFACE TYPE: Protected
ALARM TYPE: Possible spoof
IP PACKET: TCP [1.210.252.124/1295]-->[62.140.213.144/80] l=0 f=0x2
[1.210.252.124/1295]-->[web2.vnunet.com/http]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
salesmen to plug anything into the network that was not 100% validated? No WiFi stuff installed anywhere?
Other than that, the premise looks as you stated - have to say the Gnatbox's have proven very solid up to now - hope there is no flaw in
them.
Anyway - not seen anything as such......
-- Best Regards,
Steve Leach Network Manager MI International Ltd Tel: +44 (0)1642 356 205 Fax: +44 (0)1642 356 229 [EMAIL PROTECTED] www.mi-int.com www.askalix.com
DISCLAIMER Any opinions expressed in this e-mail are those of the individual and not necessarily of MI International Ltd.
This e-mail and any information or files transmitted with it, including replies and forwarded copies, are confidential and intended solely for the use of the intended individual or entity. If you are not the intended recipient, please e-mail [EMAIL PROTECTED], along with a copy of the e-mail.
------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
