LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   very strange network/firewall activity - thoughts? (http://www.linuxquestions.org/questions/linux-security-4/very-strange-network-firewall-activity-thoughts-243997/)

cyph3r7 10-17-2004 10:12 PM

very strange network/firewall activity - thoughts?
 
in my current network I have pretty good "layered defense". I have a cable modem which runs into a true firewall (called firewall1) on the WAN port. On the firewall LAN port runs to the WAN port of a linksys firewall/router (firewall2). The DMZ port firewall1 is yet unused.

No ports are currently open to the outside word.

looks like this:

Cable modem
|
|
|
Firewall 1 (Lan port 192.168.1.1)
| |
| |
| DMZ (eventually)
|
|
Firewall 2 (WAN port 192.168.1.2)
|
|
|
Internal users


Ok, I am seeing bizarre traffic coming from my WAN interface IP (192.168.1.2) trying to go to 192.168.X.X addresses that I do not use. Here is a log snippet:

Code:


  21:32:54.043272 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
  21:32:54.041741 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP
  21:32:42.042040 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
  21:32:42.040943 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP
  21:32:36.045239 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
  21:32:36.040419 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP
  21:32:33.051771 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP

I have run AV (symantec corp ed) on all internal lan systems. My next option is sniffer.

I was wondering if anyone has seen this before as the "LAN" (really WAN) IP of firewall2 seems to be the culprit trying to out to these addresses.....

Thoughts???

cyph3r7 10-19-2004 12:25 AM

Ok I have an update, I have at least narrowed it down to A box.

I am chronicaling this for others to maybe learn how to track this stuff down.

So, I cranked up logging on both firewalls. Both point to a central logging server. I also thoroughly ran spyware utils and A/V on my Windows boxes. Kids PC had a harmless spyware so I removed it.

Ran chrootkit on my 3 FreeBSD boxes....all clean. Dropped a brigded FreeBSD box in the link between the two firewalls in promiscuos mode. A simple tcpdump port 139 turned up the following:

Code:

192.168.10.10 192.168.119.1 3087
192.168.10.10 192.168.221.1 3088
192.168.10.10 192.168.119.1 3087
192.168.10.10 192.168.221.1 3088
192.168.10.10 192.168.119.1 3087
192.168.10.10 192.168.221.1 3088
192.168.10.10 192.168.119.1 3087
192.168.10.10 192.168.221.1 3088

Ok so now I know who is doing this. This box is what used to be a DMZ'ed web server. Now used just for testing since it is pretty weak in power and resources. Re-ran chrootkit....nothing.

The search will continue tomorrow.......

phatboyz 10-19-2004 08:35 AM

The only thing different I would do if I were you is use to differenat ranges. Like you keep the 192.168.1.1 address for firewall1 and have firewall2 on 10.0.0 or something. Thats the only thing that I would do.

The reason behind this is if someone was to get inside your first lan then they wouldn't know that you have a subnet unless they hacked the firewall it self to get the routes from it. On the first lan I would put a small mhz with knoppix and have this server as sorta a honey pot.

cyph3r7 10-19-2004 11:12 AM

I didnt clarify that the DMZ is actually a completely seperate NIC on firewall1. Not sharing the address space between FW1 and FW2.

I kept the 192.168.1.x address space for just the communications between firewall1 and firewall2. The DMZ is addressed in the 10.x.x.x space. I wanted complete seperation of the LAN and DMZ space. The internal lan is 192.168.10.x. There wont be a honeypot but there will be a NIDS/IPS in bridged mode between the DMZ port on firewall1 and the switch that the DMZ servers will be plugged into. That system will be FreeBSD w/ Bro IDS and the Snort signatures added.

cyph3r7 10-19-2004 11:16 AM

final update...it was a false alarm. It seems at some point in my "playing around" on that box I had installed and configured Samba. Looks like Samba had a bad broadcast route and was screaming over 139 to subnets that didnt exist anymore.

Welp at least people who arent familiar with these situations may hopefully learn a little about tracking down offending or comprimised systems.

Upside - My firewalls and logging are doing their job.


All times are GMT -5. The time now is 08:18 AM.