kipper1 Posted August 14, 2008 Report Share Posted August 14, 2008 Hello, I am looking for advice on how to determine where some potentially malicious network traffic is originating from? The situation is the Fsecure Firewall on a number of client machines on our network has blocked traffic reported as the following: Inbound TCP Malware - Bagle.Y in Remote port 9500 Remote address 192.0.2.42 Local Port 2535 Local address 192.168.16.24 All reports have identified the same remote IP address. On Monday morning I configured another linux based firewall (in addition to our security device firewall) that acts as a transparent bridge. This only allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday Fsecure has continued blocking the threat on port 9500. Therefore I believe the traffic is internal and the IP of the threat is spoofed. We also have a wireless access point which I turned off last night. I am concerned a computer on our network is infected with the worm. Is there a way I can sniff for traffic originating from port 9500 on our network to determine the ip address it's originating from? We have 3 fairly modern switches, if I was to use a packet sniffer would I need to run a sniffer on each switch? Thanks, Kip. Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted August 14, 2008 Report Share Posted August 14, 2008 You can download a free utility called Sam Spade that will give you a lot of information about a domain or IP address. You can download it here:http://www.majorgeeks.com/Sam_Spade_d594.htmlHere's what Sam Spade had to say about the IP you posted:08/14/08 10:28:42 IP block 192.0.2.42Trying 192.0.2.42 at ARINTrying 192.0.2 at ARINInternet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1) 192.0.0.0 - 192.0.127.255Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1) 192.0.2.0 - 192.0.2.255# ARIN WHOIS database, last updated 2008-08-13 19:10# Enter ? for additional hints on searching ARIN's WHOIS database.It's in a reserved block and should not be used on the Internet. Quote Link to comment Share on other sites More sharing options...
kipper1 Posted August 14, 2008 Author Report Share Posted August 14, 2008 You can download a free utility called Sam Spade that will give you a lot of information about a domain or IP address. You can download it here:http://www.majorgeeks.com/Sam_Spade_d594.htmlHere's what Sam Spade had to say about the IP you posted:08/14/08 10:28:42 IP block 192.0.2.42Trying 192.0.2.42 at ARINTrying 192.0.2 at ARINInternet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1) 192.0.0.0 - 192.0.127.255Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1) 192.0.2.0 - 192.0.2.255# ARIN WHOIS database, last updated 2008-08-13 19:10# Enter ? for additional hints on searching ARIN's WHOIS database.It's in a reserved block and should not be used on the Internet.We have had another occurance this time Fsecure reported Bagle.c from the same IP as last time although the local port was 2745!Interesting that Sam Spade gave results as a number of online tools gave no results. I will use this in the future.Thanks,Chris. Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted August 14, 2008 Report Share Posted August 14, 2008 Are you running up to date Antivirus and Antispyware on all the machines? Quote Link to comment Share on other sites More sharing options...
ɹəuəllıʍ ʇɐb Posted August 15, 2008 Report Share Posted August 15, 2008 Interesting, about the 192.*.*.* net block.When I check that address with an IP address locator, it tells me that the address is in Lahore, Pakistan. Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted August 15, 2008 Report Share Posted August 15, 2008 192.168.0.0 through 192.168.255.255 with a 255.255.0.0 mask is one of the address spaces reserved for private use.See RFC1918 for more info:http://www.faqs.org/rfcs/rfc1918.htmlSo the whole 192.*.*.* netblock should not show up as belonging to Lahore, Pakistan. Something must not be working with Geobytes' Address Locator. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.