[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian addresses attempts



On Monday 13 September 2004 11.27, Andy Bennett wrote:
> I have a network pf Windows PC's which has all of a sudden started to run
> incredibly slowly, the PC's sometimes simply can't log on at all.
>
> When I run the 'iptraf' programme it appears that traffic is trying to get
> to ip addresses that simply aren't on the local network. The local network
> is 192.168.2. and all addresses should be in this range. Here is an example
> of a few log entries.
>
> 48 bytes; from 192.168.2.27:2190 to 192.168.91.211:445; first packet (SYN)
> 48 bytes; from 192.168.2.27:2191 to 192.168.172.38:445; first packet (SYN)
> 48 bytes; from 192.168.2.27:2192 to 192.168.168.5:445; first packet (SYN)
> 48 bytes; from 192.168.2.27:2193 to 192.168.51.177:445; first packet (SYN)
> 48 bytes; from 192.168.2.27:2194 to 192.168.250.226:445; first packet (SYN)
> 48 bytes; from 192.168.2.27:2195 to 192.168.23.69:445; first packet (SYN)
>
> Anyone got any idea what could be causing this.
>
> Regards
> Andy

looks like a infected computer to me..
All attempts go from the machine with .27 as node and trying to kick random 
boxes in the Microsoft-DS port.

Find the machine with the 192.168.2.27 adress and shut it down.
Then check the traffic again.


-- 
         /Rikard

------------------------------------------------------------------------------------
Rikard Johnels          email   : rikjoh@xxxxxxxxx
                        Web     : http://www.rikjoh.com
                        Mob     : +46 735 05 51 01

------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78  46 1C EE 56 >

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here