weird packet sends to various services
Here we go again..... A snippet!!! "The next stage of the project was to be a Linux migration on the desktop. The suspension of...
I'm trying to find out why every morning from 2am to 3:45am some machine on our LAN is sending consistant data to a machine on our DMZ. I'm looking through our router's logs (IPCop distro), and in the process found something odd I don't understand. We have several WinXP machines, and the packets they sent yesterday all seem legit... except for this block listed below:
From 192.168.0.11 - 9 packets To 100.100.100.102 - 9 packets Service: ne****cher-mon (tcp-3203) (NEW not SYN?,eth0,eth2) - 3 packets Service: neon24x7 (tcp-3213) (NEW not SYN?,eth0,eth2) - 3 packets Service: isi-irp (tcp-3226) (NEW not SYN?,eth0,eth2) - 3 packets From 192.168.0.13 - 11 packets To 38.113.212.207 - 1 packet Service: http (tcp-80) (NEW not SYN?,eth0,eth2) - 1 packet To 38.113.212.226 - 1 packet Service: http (tcp-80) (NEW not SYN?,eth0,eth2) - 1 packet To 38.113.212.239 - 1 packet Service: http (tcp-80) (NEW not SYN?,eth0,eth2) - 1 packet To 38.113.212.243 - 1 packet Service: http (tcp-80) (NEW not SYN?,eth0,eth2) - 1 packet To 209.8.50.38 - 7 packets Service: http (tcp-80) (NEW not SYN?,eth0,eth2) - 7 packets From 192.168.0.14 - 266 packets To 100.100.100.102 - 266 packets Service: tl1-lv (tcp-3081) (NEW not SYN?,eth0,eth2) - 6 packets Service: pcihreq (tcp-3085) (NEW not SYN?,eth0,eth2) - 6 packets Service: ptk-alink (tcp-3089) (NEW not SYN?,eth0,eth2) - 6 packets Service: rapidmq-center (tcp-3093) (NEW not SYN?,eth0,eth2) - 6 packets Service: 3097 (tcp-3097) (NEW not SYN?,eth0,eth2) - 6 packets Service: hp-pxpib (tcp-3101) (NEW not SYN?,eth0,eth2) - 6 packets Service: cardbox (tcp-3105) (NEW not SYN?,eth0,eth2) - 6 packets Service: personnel (tcp-3109) (NEW not SYN?,eth0,eth2) - 6 packets Service: cs-auth-svr (tcp-3113) (NEW not SYN?,eth0,eth2) - 6 packets Service: mctet-jserv (tcp-3117) (NEW not SYN?,eth0,eth2) - 6 packets Service: 3121 (tcp-3121) (NEW not SYN?,eth0,eth2) - 6 packets Service: a13-an (tcp-3125) (NEW not SYN?,eth0,eth2) - 6 packets Service: netport-id (tcp-3129) (NEW not SYN?,eth0,eth2) - 6 packets Service: prism-deploy (tcp-3133) (NEW not SYN?,eth0,eth2) - 6 packets Service: jpegmpeg (tcp-3155) (NEW not SYN?,eth0,eth2) - 6 packets Service: navegaweb-port (tcp-3159) (NEW not SYN?,eth0,eth2) - 6 packets Service: spandataport (tcp-3193) (NEW not SYN?,eth0,eth2) - 6 packets Service: embrace-dp-s (tcp-3197) (NEW not SYN?,eth0,eth2) - 6 packets packets Service: unite (tcp-3217) (NEW not SYN?,eth0,eth2) - 6 packets Service: esp-lm (tcp-3383) (NEW not SYN?,eth0,eth2) - 6 packets Service: hotu-chat (tcp-3449) (NEW not SYN?,eth0,eth2) - 6 packets Service: gbs-stp (tcp-3484) (NEW not SYN?,eth0,eth2) - 6 packets Service: ibm3494 (tcp-3494) (NEW not SYN?,eth0,eth2) - 6 packets Service: dashpas-port (tcp-3498) (NEW not SYN?,eth0,eth2) - 6 packets Service: interactionweb (tcp-3508) (NEW not SYN?,eth0,eth2) - 6 packets Service: ecmport (tcp-3524) (NEW not SYN?,eth0,eth2) - 2 packets Service: urld-port (tcp-3534) (NEW not SYN?,eth0,eth2) - 6 packets Service: ibm-diradm (tcp-3538) (NEW not SYN?,eth0,eth2) - 6 packets Service: hacl-monitor (tcp-3542) (NEW not SYN?,eth0,eth2) - 6 packets Service: 3546 (tcp-3546) (NEW not SYN?,eth0,eth2) - 6 packets Service: ssmpp (tcp-3550) (NEW not SYN?,eth0,eth2) - 6 packets Service: emprise-lls (tcp-3585) (NEW not SYN?,eth0,eth2) - 6 packets Service: comcam-io (tcp-3605) (NEW not SYN?,eth0,eth2) - 6 packets Service: cpdi-pidas-cm (tcp-3609) (NEW not SYN?,eth0,eth2) - 6 packets Service: alaris-disc (tcp-3613) (NEW not SYN?,eth0,eth2) - 6 packets Service: sharp-server (tcp-3617) (NEW not SYN?,eth0,eth2) - 6 packets Service: ep-nsp (tcp-3621) (NEW not SYN?,eth0,eth2) - 6 packets Service: volley (tcp-3625) (NEW not SYN?,eth0,eth2) - 6 packets Service: escvpnet (tcp-3629) (NEW not SYN?,eth0,eth2) - 6 packets Service: wacp (tcp-3633) (NEW not SYN?,eth0,eth2) - 6 packets Service: scservp (tcp-3637) (NEW not SYN?,eth0,eth2) - 6 packets Service: netplay-port2 (tcp-3641) (NEW not SYN?,eth0,eth2) - 6 packets Service: cyc (tcp-3645) (NEW not SYN?,eth0,eth2) - 6 packets Service: nmmp (tcp-3649) (NEW not SYN?,eth0,eth2) - 6 packets
192.168.0.11 and 192.168.0.14 are sending packets to a "reserved" IP. 192.168.0.11 is odd, but 192.168.0.14 is sending 6 packets apiece through services that it really shouldn't be! I know that 100.100.100.102 IP is a reserved IP, but when I ping it on any machine, it actually resolves! To our upstream ISP. Weird, but I guess not suspicious. I did a spyware and virus check on 192.168.0.14 but it didn't come up with anything. I did a search for that IP address to see if it's commonly connected to some trojan or something, nothing.
On 6 Sep 2006 13:17:00 -0700, gavino staggered into the Black Sun and said: It's so poorly documented that there's been a Kernel-HOWTO...
JEDIDIAH I agree with that. Then you have made your "experiences" highly suspect, as the Mac most certainly did stop doing anything else when the mouse button was held. That's why the...
Can someone give me an idea where to go from here in checking out what may be going on with 192.168.0.14? I'd appreciate any direction! -Liam
David L. Johnson snip WRONG! I'm so irritated that people become one-minded. either it's...
Yet Another Linux Migration Put On Hold!! Anyone else see a pattern here
Linux groups from Newsgroups