-   Linux - Security (
-   -   very strange network/firewall activity - thoughts? (

cyph3r7 10-17-2004 11:12 PM

very strange network/firewall activity - thoughts?
in my current network I have pretty good "layered defense". I have a cable modem which runs into a true firewall (called firewall1) on the WAN port. On the firewall LAN port runs to the WAN port of a linksys firewall/router (firewall2). The DMZ port firewall1 is yet unused.

No ports are currently open to the outside word.

looks like this:

Cable modem
Firewall 1 (Lan port
| |
| |
| DMZ (eventually)
Firewall 2 (WAN port
Internal users

Ok, I am seeing bizarre traffic coming from my WAN interface IP ( trying to go to 192.168.X.X addresses that I do not use. Here is a log snippet:


  21:32:54.043272 LAN, port 139, port 4414 TCP
  21:32:54.041741 LAN, port 139, port 4413 TCP
  21:32:42.042040 LAN, port 139, port 4414 TCP
  21:32:42.040943 LAN, port 139, port 4413 TCP
  21:32:36.045239 LAN, port 139, port 4414 TCP
  21:32:36.040419 LAN, port 139, port 4413 TCP
  21:32:33.051771 LAN, port 139, port 4414 TCP

I have run AV (symantec corp ed) on all internal lan systems. My next option is sniffer.

I was wondering if anyone has seen this before as the "LAN" (really WAN) IP of firewall2 seems to be the culprit trying to out to these addresses.....


cyph3r7 10-19-2004 01:25 AM

Ok I have an update, I have at least narrowed it down to A box.

I am chronicaling this for others to maybe learn how to track this stuff down.

So, I cranked up logging on both firewalls. Both point to a central logging server. I also thoroughly ran spyware utils and A/V on my Windows boxes. Kids PC had a harmless spyware so I removed it.

Ran chrootkit on my 3 FreeBSD boxes....all clean. Dropped a brigded FreeBSD box in the link between the two firewalls in promiscuos mode. A simple tcpdump port 139 turned up the following:

Code: 3087 3088 3087 3088 3087 3088 3087 3088

Ok so now I know who is doing this. This box is what used to be a DMZ'ed web server. Now used just for testing since it is pretty weak in power and resources. Re-ran chrootkit....nothing.

The search will continue tomorrow.......

phatboyz 10-19-2004 09:35 AM

The only thing different I would do if I were you is use to differenat ranges. Like you keep the address for firewall1 and have firewall2 on 10.0.0 or something. Thats the only thing that I would do.

The reason behind this is if someone was to get inside your first lan then they wouldn't know that you have a subnet unless they hacked the firewall it self to get the routes from it. On the first lan I would put a small mhz with knoppix and have this server as sorta a honey pot.

cyph3r7 10-19-2004 12:12 PM

I didnt clarify that the DMZ is actually a completely seperate NIC on firewall1. Not sharing the address space between FW1 and FW2.

I kept the 192.168.1.x address space for just the communications between firewall1 and firewall2. The DMZ is addressed in the 10.x.x.x space. I wanted complete seperation of the LAN and DMZ space. The internal lan is 192.168.10.x. There wont be a honeypot but there will be a NIDS/IPS in bridged mode between the DMZ port on firewall1 and the switch that the DMZ servers will be plugged into. That system will be FreeBSD w/ Bro IDS and the Snort signatures added.

cyph3r7 10-19-2004 12:16 PM

final was a false alarm. It seems at some point in my "playing around" on that box I had installed and configured Samba. Looks like Samba had a bad broadcast route and was screaming over 139 to subnets that didnt exist anymore.

Welp at least people who arent familiar with these situations may hopefully learn a little about tracking down offending or comprimised systems.

Upside - My firewalls and logging are doing their job.

All times are GMT -5. The time now is 09:41 AM.