Determining where inbound connections are coming from?

[kipper1]

Hello,

I am looking for advice on how to determine where some potentially malicious network traffic is originating from?

The situation is the Fsecure Firewall on a number of client machines on our network has blocked traffic reported as the following:

Inbound TCP

Malware - Bagle.Y in

Remote port 9500

Remote address 192.0.2.42

Local Port 2535

Local address 192.168.16.24

All reports have identified the same remote IP address.

On Monday morning I configured another linux based firewall (in addition to our security device firewall) that acts as a transparent bridge. This only allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday Fsecure has continued blocking the threat on port 9500. Therefore I believe the traffic is internal and the IP of the threat is spoofed.

We also have a wireless access point which I turned off last night.

I am concerned a computer on our network is infected with the worm. Is there a way I can sniff for traffic originating from port 9500 on our network to determine the ip address it's originating from?

We have 3 fairly modern switches, if I was to use a packet sniffer would I need to run a sniffer on each switch?

Thanks,

Kip.

[homecomputeraid]

You can download a free utility called Sam Spade that will give you a lot of information about a domain or IP address.

You can download it here:

http://www.majorgeeks.com/Sam_Spade_d594.html

Here's what Sam Spade had to say about the IP you posted:

08/14/08 10:28:42 IP block 192.0.2.42
Trying 192.0.2.42 at ARIN
Trying 192.0.2 at ARIN
Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1) 
								  192.0.0.0 - 192.0.127.255
Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1) 
								  192.0.2.0 - 192.0.2.255

# ARIN WHOIS database, last updated 2008-08-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

It's in a reserved block and should not be used on the Internet.

[kipper1]

You can download a free utility called Sam Spade that will give you a lot of information about a domain or IP address.

You can download it here:

http://www.majorgeeks.com/Sam_Spade_d594.html

Here's what Sam Spade had to say about the IP you posted:

08/14/08 10:28:42 IP block 192.0.2.42
Trying 192.0.2.42 at ARIN
Trying 192.0.2 at ARIN
Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1) 
								  192.0.0.0 - 192.0.127.255
Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1) 
								  192.0.2.0 - 192.0.2.255

# ARIN WHOIS database, last updated 2008-08-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

It's in a reserved block and should not be used on the Internet.

We have had another occurance this time Fsecure reported Bagle.c from the same IP as last time although the local port was 2745!

Interesting that Sam Spade gave results as a number of online tools gave no results. I will use this in the future.

Thanks,

Chris.

[homecomputeraid]

Are you running up to date Antivirus and Antispyware on all the machines?

[ɹəuəllıʍ ʇɐb]

Interesting, about the 192.*.*.* net block.

When I check that address with an IP address locator, it tells me that the address is in Lahore, Pakistan.

[homecomputeraid]

192.168.0.0 through 192.168.255.255 with a 255.255.0.0 mask is one of the address spaces reserved for private use.

See RFC1918 for more info:

http://www.faqs.org/rfcs/rfc1918.html

So the whole 192.*.*.* netblock should not show up as belonging to Lahore, Pakistan. Something must not be working with Geobytes' Address Locator.