LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-17-2004, 10:12 PM   #1
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
very strange network/firewall activity - thoughts?


in my current network I have pretty good "layered defense". I have a cable modem which runs into a true firewall (called firewall1) on the WAN port. On the firewall LAN port runs to the WAN port of a linksys firewall/router (firewall2). The DMZ port firewall1 is yet unused.

No ports are currently open to the outside word.

looks like this:

Cable modem
|
|
|
Firewall 1 (Lan port 192.168.1.1)
| |
| |
| DMZ (eventually)
|
|
Firewall 2 (WAN port 192.168.1.2)
|
|
|
Internal users


Ok, I am seeing bizarre traffic coming from my WAN interface IP (192.168.1.2) trying to go to 192.168.X.X addresses that I do not use. Here is a log snippet:

Code:
  21:32:54.043272 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP 
  21:32:54.041741 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP 
  21:32:42.042040 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP 
  21:32:42.040943 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP 
  21:32:36.045239 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP 
  21:32:36.040419 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP 
  21:32:33.051771 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
I have run AV (symantec corp ed) on all internal lan systems. My next option is sniffer.

I was wondering if anyone has seen this before as the "LAN" (really WAN) IP of firewall2 seems to be the culprit trying to out to these addresses.....

Thoughts???
 
Old 10-19-2004, 12:25 AM   #2
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Original Poster
Rep: Reputation: 30
Ok I have an update, I have at least narrowed it down to A box.

I am chronicaling this for others to maybe learn how to track this stuff down.

So, I cranked up logging on both firewalls. Both point to a central logging server. I also thoroughly ran spyware utils and A/V on my Windows boxes. Kids PC had a harmless spyware so I removed it.

Ran chrootkit on my 3 FreeBSD boxes....all clean. Dropped a brigded FreeBSD box in the link between the two firewalls in promiscuos mode. A simple tcpdump port 139 turned up the following:

Code:
192.168.10.10 192.168.119.1 3087 
192.168.10.10 192.168.221.1 3088 
192.168.10.10 192.168.119.1 3087 
192.168.10.10 192.168.221.1 3088 
192.168.10.10 192.168.119.1 3087 
192.168.10.10 192.168.221.1 3088 
192.168.10.10 192.168.119.1 3087 
192.168.10.10 192.168.221.1 3088
Ok so now I know who is doing this. This box is what used to be a DMZ'ed web server. Now used just for testing since it is pretty weak in power and resources. Re-ran chrootkit....nothing.

The search will continue tomorrow.......
 
Old 10-19-2004, 08:35 AM   #3
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Rep: Reputation: 30
The only thing different I would do if I were you is use to differenat ranges. Like you keep the 192.168.1.1 address for firewall1 and have firewall2 on 10.0.0 or something. Thats the only thing that I would do.

The reason behind this is if someone was to get inside your first lan then they wouldn't know that you have a subnet unless they hacked the firewall it self to get the routes from it. On the first lan I would put a small mhz with knoppix and have this server as sorta a honey pot.
 
Old 10-19-2004, 11:12 AM   #4
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Original Poster
Rep: Reputation: 30
I didnt clarify that the DMZ is actually a completely seperate NIC on firewall1. Not sharing the address space between FW1 and FW2.

I kept the 192.168.1.x address space for just the communications between firewall1 and firewall2. The DMZ is addressed in the 10.x.x.x space. I wanted complete seperation of the LAN and DMZ space. The internal lan is 192.168.10.x. There wont be a honeypot but there will be a NIDS/IPS in bridged mode between the DMZ port on firewall1 and the switch that the DMZ servers will be plugged into. That system will be FreeBSD w/ Bro IDS and the Snort signatures added.

Last edited by cyph3r7; 10-19-2004 at 11:18 AM.
 
Old 10-19-2004, 11:16 AM   #5
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Original Poster
Rep: Reputation: 30
final update...it was a false alarm. It seems at some point in my "playing around" on that box I had installed and configured Samba. Looks like Samba had a bad broadcast route and was screaming over 139 to subnets that didnt exist anymore.

Welp at least people who arent familiar with these situations may hopefully learn a little about tracking down offending or comprimised systems.

Upside - My firewalls and logging are doing their job.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wild Network Thoughts pete_bogg Linux - Networking 2 02-14-2005 02:47 PM
Very strange activity - EXE running as apache?? lucastic Linux - Security 2 09-03-2004 05:01 AM
Strange PPP activity gauge73 Linux - Networking 0 08-18-2004 06:46 PM
Strange network activity !!!!!! OneManArmy Linux - Newbie 3 07-14-2004 10:19 AM
firewall activity monitoring tool schatoor Linux - Software 1 06-25-2004 04:05 PM


All times are GMT -5. The time now is 04:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration