very strange network/firewall activity - thoughts?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
very strange network/firewall activity - thoughts?
in my current network I have pretty good "layered defense". I have a cable modem which runs into a true firewall (called firewall1) on the WAN port. On the firewall LAN port runs to the WAN port of a linksys firewall/router (firewall2). The DMZ port firewall1 is yet unused.
Ok, I am seeing bizarre traffic coming from my WAN interface IP (192.168.1.2) trying to go to 192.168.X.X addresses that I do not use. Here is a log snippet:
Code:
21:32:54.043272 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
21:32:54.041741 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP
21:32:42.042040 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
21:32:42.040943 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP
21:32:36.045239 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
21:32:36.040419 LAN 192.168.1.2, port 139 192.168.119.1, port 4413 TCP
21:32:33.051771 LAN 192.168.1.2, port 139 192.168.221.1, port 4414 TCP
I have run AV (symantec corp ed) on all internal lan systems. My next option is sniffer.
I was wondering if anyone has seen this before as the "LAN" (really WAN) IP of firewall2 seems to be the culprit trying to out to these addresses.....
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Original Poster
Rep:
Ok I have an update, I have at least narrowed it down to A box.
I am chronicaling this for others to maybe learn how to track this stuff down.
So, I cranked up logging on both firewalls. Both point to a central logging server. I also thoroughly ran spyware utils and A/V on my Windows boxes. Kids PC had a harmless spyware so I removed it.
Ran chrootkit on my 3 FreeBSD boxes....all clean. Dropped a brigded FreeBSD box in the link between the two firewalls in promiscuos mode. A simple tcpdump port 139 turned up the following:
Ok so now I know who is doing this. This box is what used to be a DMZ'ed web server. Now used just for testing since it is pretty weak in power and resources. Re-ran chrootkit....nothing.
The only thing different I would do if I were you is use to differenat ranges. Like you keep the 192.168.1.1 address for firewall1 and have firewall2 on 10.0.0 or something. Thats the only thing that I would do.
The reason behind this is if someone was to get inside your first lan then they wouldn't know that you have a subnet unless they hacked the firewall it self to get the routes from it. On the first lan I would put a small mhz with knoppix and have this server as sorta a honey pot.
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Original Poster
Rep:
I didnt clarify that the DMZ is actually a completely seperate NIC on firewall1. Not sharing the address space between FW1 and FW2.
I kept the 192.168.1.x address space for just the communications between firewall1 and firewall2. The DMZ is addressed in the 10.x.x.x space. I wanted complete seperation of the LAN and DMZ space. The internal lan is 192.168.10.x. There wont be a honeypot but there will be a NIDS/IPS in bridged mode between the DMZ port on firewall1 and the switch that the DMZ servers will be plugged into. That system will be FreeBSD w/ Bro IDS and the Snort signatures added.
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Original Poster
Rep:
final update...it was a false alarm. It seems at some point in my "playing around" on that box I had installed and configured Samba. Looks like Samba had a bad broadcast route and was screaming over 139 to subnets that didnt exist anymore.
Welp at least people who arent familiar with these situations may hopefully learn a little about tracking down offending or comprimised systems.
Upside - My firewalls and logging are doing their job.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.