Interesting network traffic, any ideas?

Discussion in 'OT Technology' started by Keyzs, May 24, 2005.

  1. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    I am doing some packet sniffing trying to figure out a network issue and I am getting a very large number of the following packets

    Code:
    No.    Time        Source                Destination           Protocol Info
       1335 23.703679   10.1.10.224           10.1.255.255          NBNS     Name query NB WWW.ZONEAGE.NET<00>
    
    0000  ff ff ff ff ff ff 00 40 ca 12 45 f3 08 00 45 00   .......@..E...E.
    0010  00 4e 66 79 00 00 80 11 b5 44 0a 01 0a e0 0a 01   .Nfy.....D......
    0020  ff ff 00 89 00 89 00 3a 83 02 a6 00 01 10 00 01   .......:........
    0030  00 00 00 00 00 00 20 46 48 46 48 46 48 43 4f 46   ...... FHFHFHCOF
    0040  4b 45 50 45 4f 45 46 45 42 45 48 45 46 43 4f 45   KEPEOEFEBEHEFCOE
    0050  4f 45 46 46 45 41 41 00 00 20 00 01               OEFFEAA.. ..
    
    The source IP addresses are all over the subnet. I show it even coming from HP printers, cisco switches, cisco WAP's etc...

    Any thoughts?
     
  2. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Worm is changing host's IP and spamming to shit.
     
  3. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    Worm agreed...

    They are not spamming anyone since its all internal traffic. I am not even seeing the traffic at the border devices or the public DNS servers. And all the IPaddress are legitimate devices on the network...
     
  4. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Looks like a worm on one machine is trying to get the IP of that website to report on internal machine IPs to me, and is changing its IP to thoe of known hosts. I dunno. Just guessing. I don't think that host resolves, so the NS request isn't leading to additional external traffic. That packet is DNS, right?

    What I would do is check for excessive ARP requests, when machines take their IPs back. Actually, if the worm is changing its IP there will be lots of ARP broadcasts from one MAC address. Sniff ARP. Disconnect sections of the network, and see if it still persists. After hours obviously.

    It is possible for a worm to write raw packets claiming to be another IP, and most ARP implementations won't scream and say, "Hey, that IP was MINE!" So you might want to write a perl script that looks for one MAC spitting out alot of IP traffic with unique IPs.

    I haven't been into networks for a long time, so slap me if this is all outdated.
     
    Last edited: May 25, 2005
  5. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    uh that looks like NetBios stuff. It's probably just announcing itself or it's "name and info" to the network. NBNS is NetBios Name Service i believe. Not sure what the rest of the data in the packet is for. Probably an encoded message.
     
  6. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    the reason it's coming from HP printers and shit is because you probably have them shared. I'm not sure why the cisco equipment would announce itself though.
     
  7. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    It's a Net bios name query broadcast. It means you are using netbios and have your machines set as either B or M nodes.

    Shezz. Worm!? Tell me what you guys are smoking (and send me some!)
     
  8. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    The line "Name query NB WWW.ZONEAGE.NET" makes it an obvious NetBios name query and the response is back to the broadcast IP. But trying to resolve a web domain with Netbios internally does not make sense unless its a poorly written worm/virus etc...
     
  9. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Makes perfect sense actually. Windows moves to the next method if it can't resolve the name with one method, it moves to the next in line. Depending on how they are configured what order it goes in. Can't find it in WINS, look in DNS, not there, broadcast for it. If you check you are probably also seeing DNS queries for it. It's probably some dumb or mis-configured peice of software. Sniffing the DNS queries should narrow down who is actually asking for it.
     
  10. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    yah
     
  11. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Yeah, I thought it was regular NS. He didn't list port numbers, and thats what i thought it was. I am indeed smoking cinnamin crack.
     
  12. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    I would think a worm would fit into the category of a "dumb or mis-configured peice of software."... The second guess since the machines do not have direct (proxied - no local DNS) internet access that its spyware not detecting the proxy settings (personally I would call that a worm or virus). But I still have not found a way to figure out which of the 600 machines have it.

    There is no DNS traffic that matches this packet. Nor do I have ARP requests from the same devices.

    Its a Netbios name request (NBNS = NetBios Name Services) If you know networking that tells you the port (137)...
     
  13. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    What are you using for internal name resolution? You could create a fake entry for that host, point it to a machine, and sniff the link to that machine.

    That domain, btw, isn't even registered (doesn't look like it ever was, there is no record of it in Google, newsgroups (most virus/worm/spyware address would have been posted at some point), and there is no record of it on the internet archives wayback server.
     
  14. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    huh?

    Queried whois.enom.com with "ZONEAGE.NET"...

    Registration Service Provided By: Registerfly.com
    Contact: [email protected]
    Visit: http://www.RegisterFly.com

    Domain name: ZONEAGE.NET

    Registrant Contact:
    NONE
    Patrick Peeters ([email protected])
    0436040925
    Fax: none
    mariamunster 29
    Berg, Limburg 6325 CR
    US

    Administrative Contact:
    NONE
    Patrick Peeters ([email protected])
    0436040925
    Fax: none
    mariamunster 29
    Berg, Limburg 6325 CR
    US

    Technical Contact:
    NONE
    Patrick Peeters ([email protected])
    0436040925
    Fax: none
    mariamunster 29
    Berg, Limburg 6325 CR
    US

    Billing Contact:
    NONE
    Patrick Peeters ([email protected])
    0436040925
    Fax: none
    mariamunster 29
    Berg, Limburg 6325 CR
    US

    Status: Locked

    Name Servers:
    dns1.name-services.com
    dns2.name-services.com
    dns3.name-services.com
    dns4.name-services.com
    dns5.name-services.com

    Creation date: 31 Mar 2005 11:01:59
    Expiration date: 31 Mar 2006 11:01:59

    The data in this whois database is provided to you for information
    purposes only, that is, to assist you in obtaining information about or
    related to a domain name registration record. We make this information
    available "as is," and do not guarantee its accuracy. By submitting a
    whois query, you agree that you will use this data only for lawful
    purposes and that, under no circumstances will you use this data to: (1)
    enable high volume, automated, electronic processes that stress or load
    this whois database system providing you this information; or (2) allow,
    enable, or otherwise support the transmission of mass unsolicited,
    commercial advertising or solicitations via direct mail, electronic
    mail, or by telephone. The compilation, repackaging, dissemination or
    other use of this data is expressly prohibited without prior written
    consent from us. The registrar of record is eNom. We reserve the right
    to modify these terms at any time. By submitting this query, you agree
    to abide by these terms.
    Version 6.3 4/3/2002











    Network Whois record

    Queried whois.arin.net with "70.84.252.218"...

    OrgName: ThePlanet.com Internet Services, Inc.
    OrgID: TPCM
    Address: 1333 North Stemmons Freeway
    Address: Suite 110
    City: Dallas
    StateProv: TX
    PostalCode: 75207
    Country: US

    ReferralServer: rwhois://rwhois.theplanet.com:4321

    NetRange: 70.84.0.0 - 70.87.127.255
    CIDR: 70.84.0.0/15, 70.86.0.0/16, 70.87.0.0/17
    NetName: NETBLK-THEPLANET-BLK-13
    NetHandle: NET-70-84-0-0-1
    Parent: NET-70-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.THEPLANET.COM
    NameServer: NS2.THEPLANET.COM
    Comment:
    RegDate: 2004-07-29
    Updated: 2005-03-24

    TechHandle: PP46-ARIN
    TechName: Pathos, Peter
    TechPhone: +1-214-782-7800
    TechEmail: [email protected]

    OrgAbuseHandle: ABUSE271-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-214-782-7802
    OrgAbuseEmail: [email protected]

    OrgNOCHandle: TECHN33-ARIN
    OrgNOCName: Technical Support
    OrgNOCPhone: +1-214-782-7800
    OrgNOCEmail: [email protected]

    OrgTechHandle: TECHN33-ARIN
    OrgTechName: Technical Support
    OrgTechPhone: +1-214-782-7800
    OrgTechEmail: [email protected]

    # ARIN WHOIS database, last updated 2005-05-25 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    DNS records
    name class type data time to live
    zoneage.net IN A 70.84.252.218 1800s (00:30:00)
    zoneage.net IN SOA
    server: dns1.name-services.com
    email: info.name-services.com
    serial: 2002050701
    refresh: 10001
    retry: 1801
    expire: 604801
    minimum ttl: 181
    3600s (01:00:00)
    zoneage.net IN NS dns1.name-services.com 3600s (01:00:00)
    zoneage.net IN NS dns2.name-services.com 3600s (01:00:00)
    zoneage.net IN NS dns3.name-services.com 3600s (01:00:00)
    zoneage.net IN NS dns4.name-services.com 3600s (01:00:00)
    zoneage.net IN NS dns5.name-services.com 3600s (01:00:00)
    218.252.84.70.in-addr.arpa IN PTR 218.70-84-252.reverse.theplanet.com 86400s (1.00:00:00)

    -- end --
     
  15. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Huh indeed. I did a WHOIS lookup and it returned unregistered. Guess my choice of whois sucked.

    That changes my opinion then, probably some sort of adware. I still say put a honeypot machine that resolves to that address and see what machines are hitting it.
     
  16. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI

    I did the same lookups and searches and found nothing. But if you goto the site there is a response. So I dug farther and go the above info, which is great info, but does not help....

    Now the idea of taking over the lookup is great!!! (I wish I would have thought about it.) We use LMHOSTS (that I can mass change) for most servers and a wins server (We have our reason for not having a DNS server - ROB when do you have some time?)
     
  17. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Yeah, I didn't know what NBNS stood for, so I didn't know the port number. And I know enough about networking to keep Netbios the fuck off my network ;)
     
  18. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI

    We do not normally have much Netbios traffic, thats what brought up the alarm... But I cannot imagine a network with 500 PC's not having some NetBios floating around.
     
  19. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Ahhh, grasshopper. You must look at new Win2k domains. That there MIT Kerbreros encrypted, and DNS based.
     
  20. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Could be worse, it could be IPX!

    IPX:

    10 Broadcast to everyone to say hello
    20 Goto 10

    You can't totally get rid of it in a large network. Just trying to track down all the enabled PC's and devices would probably be more effort than it's worth.
     
  21. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,612
    Likes Received:
    36
    Location:
    Atlanta, GA
    How about after next week?

    20 hours of classes + 20 hours of work has not been going well. That doesn't include travel, homework, reading, etc. :hs:
     
  22. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    We have that too...
     

Share This Page