Interesting traffic problem

Hi,

I have noticed some interesting traffic coming from one of my pc's and then to one of my pc's.
First a little background.
I have a befsr41 router with snmp :-) So I can log traffic going into my little network using wallwatcher and opmanager.

I have one XP machine I leave on a lot.
I notice that it is sending UDP outbound from L-port 137 to R-port 137. Then in a relatively short amount of time I see an inbound request from a different IP to ports 1026 ,1027, and 1028 from a different IP that the 137 was sent from.

I have norton's running, and ad aware and spybot don't show anything.


The addresses seem to come from anywhere China, hong kong, even the US and Canada.



Any Ideas of what this is:







Log Snips:
-------------

alert_audit435.txt:20:54:06:542 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 20:54:06 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 221.6.163.50:137
alert_audit435.txt-
alert_audit435.txt-20:54:45:033 ALERTAUDIT: System Clear: Tue Dec 26 20:54:44 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 202.97.238.132:32957 to WANIP:1026
alert_audit435.txt-
alert_audit435.txt-20:55:43:724 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1027
alert_audit435.txt-
alert_audit435.txt-20:55:43:836 ALERTAUDIT: System Clear: Tue Dec 26 20:55:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.159.205:19437 to WANIP:1028
alert_audit435.txt-

Log Snips:
-------------


alert_audit435.txt:22:01:00:913 ALERTAUDIT: System Clear: Tue Dec 26 22:01:00 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.19.74:137
alert_audit435.txt-
alert_audit435.txt-22:01:42:516 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:01:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.191.3.147:25931 to WANIP:1026
alert_audit435.txt-
alert_audit435.txt-22:02:43:193 ALERTAUDIT: System Clear: Tue Dec 26 22:02:42 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1027
alert_audit435.txt-
alert_audit435.txt-22:02:43:213 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:02:43 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.255.139:16957 to WANIP:1028
alert_audit435.txt-

Log Snips:
-------------

alert_audit436.txt:22:36:32:840 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:36:32 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 204.16.209.30:137
alert_audit436.txt-
alert_audit436.txt-22:38:33:569 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1026
alert_audit436.txt-
alert_audit436.txt-22:38:33:686 ALERTAUDIT: System Clear: Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
alert_audit436.txt-
alert_audit436.txt-22:38:33:694 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1027
alert_audit436.txt-
alert_audit436.txt-22:38:33:697 ALERTAUDIT: System Clear: Tue Dec 26 22:38:33 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 24.64.252.244:10501 to WANIP:1028
alert_audit436.txt-


Log Snips:
-------------

alert_audit436.txt:22:45:48:878 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:45:48 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @out UDP from 10.100.1.7:137 to 24.64.5.208:137
alert_audit436.txt-
alert_audit436.txt-22:51:51:654 ALERTAUDIT: System Clear: Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
alert_audit436.txt-
alert_audit436.txt-22:51:51:661 ALERTAUDIT: Update: from Clear to Clear at Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1026
alert_audit436.txt-
alert_audit436.txt-22:51:51:769 ALERTAUDIT: System Clear: Tue Dec 26 22:51:51 CST 2006. Alert: 10.100.1.1_TrapsFromRouter_trap : Traffic .1.3.6.1.4.1.3955.1.1.0: @in UDP from 204.16.208.76:37844 to WANIP:1027
alert_audit436.txt-

On Fri, 29 Dec 2006 03:58:52 -0600, tiffini <(E-Mail Removed)> wrote:

>... Then in a relatively short amount of time I see an inbound request from a different IP to ports 1026 ,1027, and 1028 from a different IP that the 137 was sent from.

MS messenger spam, harmless, just ignore it, it will not go away

Grant.
--
http://bugsplatter.mine.nu/

On Fri, 29 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <08WdnVI28Ph-(E-Mail Removed)>, tiffini wrote:

>I have a befsr41 router with snmp :-) So I can log traffic going into
>my little network using wallwatcher and opmanager.

It gives you something to watch, I suppose. You'd actually learn a lot
more by using a packet sniffer, as most of this traffic is in plain ASCII
and quite readable.

>I have one XP machine I leave on a lot.

but you never looked at the traffic from a newly installed but isolated
windoze box. They chatter a lot, even before they get infected.

>I notice that it is sending UDP outbound from L-port 137 to R-port 137.

netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service

>Then in a relatively short amount of time I see an inbound request from
>a different IP to ports 1026 ,1027, and 1028 from a different IP that
>the 137 was sent from.

That's why the packet sniffer would be useful. You'd see that the packets
contain faked windoze warning messages - telling you that your XP box has
discovered $RANDOM_NUMBER of problems with the registry, or some bunch of
bull droppings, and that you need to go to some spam site to get your
registry repaired. It's some spammer sending messenger spam. Blindingly
obvious clue: the web site has nothing to do with microsoft (who could
possibly care less if your windoze box gets 0wn3d). It's all part of
the benefits you get as a result of incompetent programming by the klowns
in Redmond.

>I have norton's running, and ad aware and spybot don't show anything.

Yes, the anti-malware stuff assumes you already know you've got windoze
installed. Why else would you be using their stuff?

>The addresses seem to come from anywhere China, hong kong, even the US
>and Canada.

Most of them are faked - UDP doesn't need a two way conversation to
deliver the windoze spam. Again, a packet sniffer would show more
interesting details in the headers of those packets. The supposed
source addresses are random numbers, which shows up as occasional
addresses that haven't even been allocated by IANA, much less one of
the five Regional Internet Registries (AFRINIC, APNIC, ARIN, LACNIC or
RIPE).

Block _ALL_ UDP coming in that is not responses from your ISP's name
servers (source port 53 to some high port that had just sent out a
request a second or so before). If you are getting DHCP service from
your ISP, you need UDP ports 68 OUTbound to 67, and the replies from
port 67 back to your 68. If you use a *nix version of traceroute (but
not the b0rken windoze imitation), then you need ports 33434 to about
33480 open. Otherwise you _probably_ don't need any UDP, and can just
drop it into the bit.bucket at your perimeter.

As for your port 137 traffic, it's only windoze trying to be helpful
and share everything with anyone. Microsoft figured you (or at least
somebody) might find it useful.

Old guy

In comp.os.linux.networking tiffini <(E-Mail Removed)>:
> Hi,

> I have noticed some interesting traffic coming from one of my
> pc's and then to one of my pc's. First a little background. I
> have a befsr41 router with snmp :-) So I can log traffic going
> into my little network using wallwatcher and opmanager.

> I have one XP machine I leave on a lot.

Disconnect any doze box from the internet and problems are
solved. Wonder what this has to do with Linux and networking?

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 338: old inkjet cartridges emanate barium-based
fumes