TCP Packet - Source:188.8.131.52,39341 Destination:192.168.1.1,25 - [DOS] TCP Packet - Source:184.108.40.206,3473 Destination:220.127.116.11,135 - [DOS] Thu, 2006-10-19 16:30:03 – UDP Packet - Source:192.168.1.111,1443 Destination:18.104.22.168,53 - [Any(ALL) match]
What is this?
If you want to get more information, I recommend that you configure a sniffer, such as the easy-to-use Wireshark tool. You can then sniff traffic on the internal interface of your router, and look for additional packets coming from 22.214.171.124 and 126.96.36.199. As another option, if you can get access to any of the 192.168 machines here (or any others for that matter), and they are Windows machines, you can run this command to get more details about what is going on:
C:> netstat –nao 1 | find "[IP_addr_of_other_side" | find "[port]"
The netstat command shows TCP and UDP ports that are in use. The –n means that we want numbers (not names) of ports and machines. The –a indicates our preference for all traffic. The –o means that we want the Process ID (PID) of the program using that port. The 1 will make this command run every second, again and again.
Then, the output is scraped for any indication of the IP address of the other side. Look for packets going to or from the ports in question, namely 25, 135, and 53. Let the command run for a little while, and see if and when one of the machines sends such a packet. When it does, look at the PID, and find it in Task Manager. If using Windows XP, 2003 or Vista, you can also use this command:
C:> wmic process list brief
Then, you'll know the process sending it, so you can check whether it is valid, and you can look over its configuration.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Ed Skoudis
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
By viewing a page's HTML source code and writing malicious scripts to a drop-down list, hackers may be able to re-post the malicous page to the ... Continue Reading
Password cracking may be a hacker's specialty, but there are also many strategies to keep passwords secure. Continue Reading