New ISP, new issues. While investigating why my connection goes brain dead every so often I saw some odd hits in the AT&T UVerse 2wire gateway's logs:
src=162.1.2.3 dst=192.168.0.108 ipprot=6 sport=61913 dport=445 Drop traffic to 192.168.0.0/16
The src IP is the WAN IP of my router (2wire is bridging, sort of.) and the destination is an unused private network range. Odd, I thought, that my Linksys was trying to connect to private ranges, and even odder that it was heading out the WAN interface towards the internet.
Firing up Wireshark I immediately saw a flood of packets to AND FROM that private range. I have no routes to that range, nothing in the arp tables, and from all I can tell that network just doesn't exist.
The connections were coming from the SYSTEM process as well, so not much more digging to be easily done there..
Enter: Reset cause: Go away, we're not home
My PC was making a query to two addresses in this private range and getting responses..rather troubling responses at that. The hardware address of the responses belonged to my Linksys router too.
38817 2315.479819 my.workstation.IP 192.168.0.100 TCP 66 61934 > microsoft-ds [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
38818 2315.479819 my.workstation.IP 192.168.0.100 TCP 66 61935 > netbios-ssn [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
38819 2315.482288 192.168.0.100 my.workstation.ip TCP 77 [TCP Retransmission] netbios-ssn > 61935 [RST, ACK] Seq=1 Ack=1 Win=0 Len=23
38820 2315.482291 192.168.0.100 my.workstation.ip TCP 77 [TCP Retransmission] microsoft-ds > 61934 [RST, ACK] Seq=1 Ack=1 Win=0 Len=23
The payload in the responses contained: "Go away, we're not home". A bit of googling led me to many hits related to the STORM virus. While that's very dated I still ran all of the standard scans, a few manual checks, investigation of a few drivers..Nothing found at all. That IP range in question was somewhat familiar, as it was my old private network before moving and switching things around.
Nearing defeat, I started a registry search for that IP address. Bingo. A pair of mapped printers with static IPs from my old network configuration. Removing them & restarting spooler cleared up all of those odd connections.
The root of that cryptic response seems to be how the AT&T UVerse 2Wire gateway responds to traffic it drops. The firewall on that device was dropping traffic to that subnet, and Go away, we're not home was how it was responding. If I had dropped a sniffer between that gateway and the Linksys I probably would have found it more quickly, but live and learn..
No comments:
Post a Comment