[Dshield] Anyone seen

Daugherty Bryan daugherty at uamont.edu
Wed Feb 25 19:26:25 GMT 2004

Thanks Jon,


We do indeed have some hubs.  Just a few, but a few too many!  


Here is my real concern.


Original post:

Yesterday I began to see outbound traffic (using Packeteer) from these same
IP's using ports 135, 445 and 6129.


After inspection of the pc's involved I found sndman.exe running in task
manager (located in C:\windows\system32), 

multiple registry entries starting the process, and an entry in
C:\windows\prefetch.  I can stop the process, 

remove the registry entries and the prefetch entry and the outbound traffic
halts and the ARP broadcasts stop.  

The problem is that this is occurring on fully patched pc's with the most
current antivirus updates.  My 

antivirus scans don't detect a thing.  


I have sent this to my Anti-virus company and have not heard back.  I have
never seen this pattern of traffic from




-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of
Jon R. Kibler
Sent: Tuesday, February 24, 2004 5:00 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Anyone seen


Daugherty Bryan wrote:




> I started seeing ARP broadcast (from various IPs on my network) last week

> using ethereal.



ARP packets (and RARP packets) can only occur on your local Ethernet LAN
segment. They are not routable on the Internet. 


To communicate on Ethernet, systems do not actually directly use the IP
address of the destination system. Rather, they use the 48-bit Media Access
Control (MAC) address to determine the destination (with the destination
being an individual port on a NIC). ARP and RARP packets serve to translate
between IP and MAC addresses. An ARP request says "I need to know the MAC
address for IP x.x.x.x." and an RARP request says "My MAC address is
xx:xx:xx:xx:xx:xx -- who knows what my IP address should be?".


In the for-what-it-is-worth category, the BOOTP (Boot Protocol -- used for
remote booting) is a superset of RARP, and the DHCP protocol is a superset of
RARP but a subset of BOOTP.


So, bottom line, ARP packets just indicate that a system is wanting to
communicate with another system on your LAN with whom the ARP-ing system has
not previously communicated (or, at least not within the lifetime of its ARP


Also, the fact that you are seeing a lot of ARP packets is a MAJOR RED FLAG
of another problem -- you are using shared Ethernet -- which is a MAJOR
security risk. You really should replace all of your hubs with switches --
or, at least in the future, only buy switches. 


With a switch, the only traffic a given port can see is traffic specifically
to that port. That means that you can only see traffic to the IP address(es)
of that port, Multicast traffic, and Broadcast traffic. No more snooping on
everything else that occurs on the network!


Hope this helps!


Jon R. Kibler

Chief Technical Officer

A.S.E.T., Inc.

Charleston, SC  USA

(843) 849-8214






Filtered by: TRUSTEM.COM's Email Filtering Service


No Spam. No Viruses. Just Good Clean Email.


More information about the list mailing list