[Dshield] 169.254.14.0 Attacks other sites?

Scott Melnick smelnick at water.com
Fri Jan 7 01:57:55 GMT 2005


After reviewing my firewall logs, I have noticed some very strange activity.
I want to see if anyone else has seen this.

I am noticing that the address 169.254.14.0 (a failed Microsoft DHCP
address) and only this address is trying to send UDP port 137 packets to
many different Internet IP addresses. My firewall does not let it go out
because it's an invalid address on my internal network, but it's filling up
my log and will probably start clogging my wan lines soon.

 

I hooked up a snort box on a span port before my firewall and captured some
packets (see below). I noticed that the MAC address is from my site to site
Frame relay router. I go on the router and do a source-track on the IP and
see it coming from 18 of my sites.

 

 

I am thinking this is a virus/worm that is spoofing it's address because:

1. If it was a machine that didn't receive a DHCP address how did it make it
to the default Gateway and hop over here to the central office?

2. It's coming from multiple sites and the invalid address happens to be
identical on every one.

3. It's targeting multiple systems on the internet UDP 137.

 

Here is a snip of the packet: Anyone have any idea's? 

 

[**] 169 Detected [**]

01/06-20:21:26.153339 169.254.14.0:137 -> <internet ip here>:137

UDP TTL:127 TOS:0x0 ID:16430 IpLen:20 DgmLen:78 Len: 50

0x0000: 00 03 E3 E5 3B 52 00 0B 45 24 6D BC 08 00 45 00
....;R..E$m...E.

0x0010: 00 4E 40 2E 00 00 7F 11 1B 0F A9 FE 0E 00 CE 87
.N at .............

0x0020: 59 DC 00 89 00 89 00 3A 4B 7D 94 4F 00 00 00 01
Y......:K}.O....

0x0030: 00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41               ......
CKAAAAAAA

0x0040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA

0x0050: 41 41 41 41 41 41 41 00 00 21 00 01
AAAAAAA..!..

 

Thanks,

 

Scott Melnick

DS Waters

Security Engineer

smelnick at water.com <mailto:smelnick at water.com> 




More information about the list mailing list