[unisog] odd udp traffic

Christian Wyglendowski Christian.Wyglendowski at greenville.edu
Fri Jun 4 13:27:41 GMT 2004


Russell,

When you get a chance, I would suggest running TCPView
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) on the system
in question.  It will show you TCP/UDP details per process and maybe
help you track down the culprit.  I always keep a copy of TCPView handy
to see what machines are up to, network-wise.

HTH,

Christian

Christian Wyglendowski
Network Administrator
Greenville College
618-664-7073
 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Russell Fulton
> Sent: Friday, June 04, 2004 2:34 AM
> To: unisog at lists.sans.org
> Subject: [unisog] odd udp traffic
> 
> Hi All,
> 	There is one machine on our network that keeps 
> triggering some of my monitoring alarms.  The machine runs 
> windows 2000.
> 
> Here is an example of the observed traffic:
> 
>     Start_Time       Type     SrcAddr      Sport  Dir       
> DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
> 04 Jun 04 10:59:08    udp   130.216.xxx.yyy.15859 <->     
> 65.223.84.154.2092  1        1         128          63          ACC
> 04 Jun 04 10:59:38    udp   130.216.xxx.yyy.15859 <->     
> 66.235.181.59.10384 1        1         88           59          ACC
> 04 Jun 04 11:00:07    udp   130.216.xxx.yyy.15859 <->   
> 158.143.116.118.3511  1        1         128          77          ACC
> 04 Jun 04 11:00:38    udp   130.216.xxx.yyy.15859 <->    
> 128.104.180.87.48867 2        2         256          153         CON
> 04 Jun 04 11:01:08    udp   130.216.xxx.yyy.15859 <->     
> 212.202.2.130.16928 2        2         276          154         CON
> 04 Jun 04 11:01:25    udp   130.216.xxx.yyy.15859 <->     
> 24.98.117.171.34731 1        1         149          76          ACC
> 04 Jun 04 11:01:38    udp   130.216.xxx.yyy.15859 <->      
> 64.246.49.61.10200 1        1         135          63          ACC
> 04 Jun 04 11:02:08    udp   130.216.xxx.yyy.15859 <->     
> 65.223.84.154.2092  1        1         128          63          ACC
> 04 Jun 04 11:03:08    udp   130.216.xxx.yyy.15859 <->   
> 158.143.116.118.3511  1        1         128          77          ACC
> 04 Jun 04 11:04:38    udp   130.216.xxx.yyy.15859 <->     
> 24.98.117.171.34731 1        1         129          76          ACC
> 04 Jun 04 11:05:08    udp   130.216.xxx.yyy.15859 <->     
> 212.202.2.130.16928 1        1         128          77          ACC
> 04 Jun 04 11:05:38    udp   130.216.xxx.yyy.15859 <->    
> 128.104.180.87.48867 1        1         128          77          ACC
> 04 Jun 04 11:06:08    udp   130.216.xxx.yyy.15859 <->     
> 69.240.40.251.48179 1        1         99           59          ACC
> 04 Jun 04 11:06:08    udp   130.216.xxx.yyy.15859 <->      
> 64.246.49.61.10200 1        1         135          63          ACC
> 04 Jun 04 11:06:38    udp   130.216.xxx.yyy.15859 <->   
> 158.143.116.118.3511  1        1         128          77          ACC
> 04 Jun 04 11:06:56    udp   130.216.xxx.yyy.15859 <->     
> 143.89.46.207.45107 1        1         69           449         ACC
> 04 Jun 04 11:06:56    udp   130.216.xxx.yyy.15859 <->      
> 65.34.133.49.38216 1        1         69           456         ACC
> 04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->    
> 24.131.138.151.35872 5        5         300          340         CON
> 04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->   
> 131.231.222.179.59818 5        5         300          340         CON
> 04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->      
> 82.35.20.102.10660 1        1         60           68          ACC
> 04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->    
> 144.131.35.175.40162 1        1         60           68          ACC
> 04 Jun 04 11:06:57    udp   130.216.xxx.yyy.15859 <->   
> 129.241.175.237.39449 2        2         523          511         CON
> 04 Jun 04 11:06:59    udp   130.216.xxx.yyy.15859 <->    
> 202.156.64.213.44788 1        1         84           458         ACC
> 04 Jun 04 11:06:59    udp   130.216.xxx.yyy.15859 <->       
> 195.7.78.99.40750 1        1         84           458         ACC
> 04 Jun 04 11:07:08    udp   130.216.xxx.yyy.15859 <->     
> 65.223.84.154.2092  1        1         128          63          ACC
> 
> over a period of an hour the machine swapped packets with 
> around 40 different IPs.  The *src* port number is always the 
> same and the dest varies but always seems to be above 1024.  
> Traffic is a constant trickle with no big flows being observed.
> 
> I have not had a look at the system myself, but the system 
> admin responsible for the system has been though it carefully 
> (it's his personal desktop ;) and can't find anything amiss.
> 
> I did capture some packets at one stage but the contents were 
> not in ascii so I gave up on that angle.  If anyone would 
> like a sample I'll get some next week as the machine is now 
> turned off and will in all likelihood stay off over the weekend.
> 
> Anyone have any ideas about what this is?
> 
> It looks like some sort of P2P system, or possibly spyware, 
> but neither show up on the system using the usual tools.  NAV 
> says the system is clean...
> 
> Cheers, Russell
> --
> Russell Fulton, Computer and Network Security Officer.
> The University of Auckland, New Zealand.
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list