-
1
- #1
Hi Folks,
Just so no one else gets sucked into this the way I did: I noted some suspicious traffic on my firewall's log as I was working on resolving some connectivity issues to some resources that are supposed to be available (and were until we put in the new firewall appliance last week). This suspicious traffic turned into a major distraction.
What I was seeing was a whole bunch of little UDP packets going out to widely spaced servers: Netherlands, China, Sri Lanka, Italy, and so on--no apparent connection to anything. Looked like a botnet to me (I'd just read an article on how common they are [grr].) Certainly, nothing about it suggested this might be connected to Skype (which I don't mind having on the network, I just wish there had been some info to tell me how it would look from the point of view of network traffic logs!).
I traced the traffic back to a couple of Windows boxes (behind a simplistic NAT router so that took a bit of effort--no NAT table to look at). I then began checking to see what was what. Of course, you have to have specialized tools (at least as far as I know) to see what program has what port open in Windows (this was XP, in case that matters).
Long story short: many hours of wasted effort later--and running a whole bunch of useless (and unnecessary) rootkit detectors and so on, I finally found a tool that neatly shows what program has what ports open--well, well, %$#@! It was Skype--and that's apparently its normal behavior.
The tool that gave me the info I needed was from ESET (the antivirus folks):
This gives a nice overview of what's going on inside the opaqueness of Windows.
May this save someone some trouble!
John
John Craig
Alpha-G Consulting, LLC
Just so no one else gets sucked into this the way I did: I noted some suspicious traffic on my firewall's log as I was working on resolving some connectivity issues to some resources that are supposed to be available (and were until we put in the new firewall appliance last week). This suspicious traffic turned into a major distraction.
What I was seeing was a whole bunch of little UDP packets going out to widely spaced servers: Netherlands, China, Sri Lanka, Italy, and so on--no apparent connection to anything. Looked like a botnet to me (I'd just read an article on how common they are [grr].) Certainly, nothing about it suggested this might be connected to Skype (which I don't mind having on the network, I just wish there had been some info to tell me how it would look from the point of view of network traffic logs!).
I traced the traffic back to a couple of Windows boxes (behind a simplistic NAT router so that took a bit of effort--no NAT table to look at). I then began checking to see what was what. Of course, you have to have specialized tools (at least as far as I know) to see what program has what port open in Windows (this was XP, in case that matters).
Long story short: many hours of wasted effort later--and running a whole bunch of useless (and unnecessary) rootkit detectors and so on, I finally found a tool that neatly shows what program has what ports open--well, well, %$#@! It was Skype--and that's apparently its normal behavior.
The tool that gave me the info I needed was from ESET (the antivirus folks):
This gives a nice overview of what's going on inside the opaqueness of Windows.
May this save someone some trouble!
John
John Craig
Alpha-G Consulting, LLC